Skip to content

ci(api-docs): disable uv cache to close cache-poisoning alert (#44)#48

Merged
WomB0ComB0 merged 1 commit into
mainfrom
fix/api-docs-cache-poisoning
May 10, 2026
Merged

ci(api-docs): disable uv cache to close cache-poisoning alert (#44)#48
WomB0ComB0 merged 1 commit into
mainfrom
fix/api-docs-cache-poisoning

Conversation

@WomB0ComB0
Copy link
Copy Markdown
Member

@WomB0ComB0 WomB0ComB0 commented May 10, 2026
edited by coderabbitai Bot
Loading

Summary

Closes code-scanning alert https://github.com/resq-software/pypi/security/code-scanning/44zizmor/cache-poisoning on .github/workflows/api-docs.yml:99.

Why this fires

api-docs.yml triggers on push.tags: 'v*'. The astral-sh/setup-uv@v6 step has GitHub Actions caching enabled by default. An actor able to push tags (legitimately or via a forced/spoofed tag) can populate the runner cache; subsequent runs across the org can then restore from a poisoned cache.

Fix

Set enable-cache: false on the Install uv step. The docs generation runs once per release tag, so cache hits don't justify the exposure.

Follow-up (separate repo)

The header of api-docs.yml declares resq-software/docs:automation/source-repo-templates/api-docs.python.yml as the source-of-truth template. Apply the same enable-cache: false change there so the next sync doesn't reintroduce the default-cached step. Tracking that as a follow-up; not in this PR's scope (different repo).

Validation

$ uvx --from zizmor zizmor .github/workflows/
No findings to report. Good job! (1 ignored, 17 suppressed)

Test plan

  • CI green on this branch
  • After merge: zizmor scan on the merge commit no longer reports cache-poisoning on api-docs.yml:99
  • Alert ci(api-docs): sync workflow from resq-software/docs #44 transitions to fixed automatically
  • Follow-up: mirror the change in resq-software/docs:automation/source-repo-templates/api-docs.python.yml

Summary by CodeRabbit

  • Chores
    • Improved reliability of the automated build pipeline configuration to prevent potential issues during release processes.

Review Change Stack

@WomB0ComB0
ci(api-docs): disable uv cache to close cache-poisoning alert (#44)
1e184ca 
zizmor/cache-poisoning alert #44 fires on the setup-uv step in
api-docs.yml because the workflow triggers on `push.tags: 'v*'`
and setup-uv@v6 enables GitHub Actions caching by default. An
actor with permission to push tags could populate the cache,
which other runs across the org could then restore.

The docs generation runs once per release tag, so cache hits
don't justify the exposure. Disable caching with
`enable-cache: false`.

Source-of-truth template at
resq-software/docs:automation/source-repo-templates/api-docs.python.yml
should receive the same change so the next sync doesn't reintroduce
the default-cached step.
@gemini-code-assist
Copy link
Copy Markdown

gemini-code-assist Bot commented May 10, 2026

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 10, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 441abf20-be31-48c1-8dd5-21bcdcc34185

📥 Commits

Reviewing files that changed from the base of the PR and between e5fd1e2 and 1e184ca.

📒 Files selected for processing (1)
  • .github/workflows/api-docs.yml
📝 Walkthrough

Walkthrough

The api-docs GitHub Actions workflow now explicitly disables setup-uv caching by setting enable-cache: false in the astral-sh/setup-uv step. Comments document that this prevents cache poisoning during tag-triggered documentation generation.

Changes

API Docs Workflow Cache Configuration

Layer / File(s) Summary
Cache Disable Configuration
.github/workflows/api-docs.yml		 The setup-uv step disables caching with enable-cache: false and comments explaining the cache-poisoning risk for tag-triggered runs.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A cache that poisons, we turn it away,
No stale artifacts on release day,
With false and a comment, clear as can be,
The docs will be fresh, just pristine and free!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The PR title clearly and specifically identifies the main change: disabling uv cache in the api-docs workflow to address a cache-poisoning security alert.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/api-docs-cache-poisoning

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@WomB0ComB0 WomB0ComB0 mentioned this pull request May 10, 2026
Merged
@WomB0ComB0 WomB0ComB0 merged commit de461aa into main May 10, 2026
32 checks passed
@WomB0ComB0 WomB0ComB0 deleted the fix/api-docs-cache-poisoning branch May 10, 2026 16:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@WomB0ComB0