From 1e184ca1eef79c648c060aea13feb4551865d3f3 Mon Sep 17 00:00:00 2001 From: Mike Odnis Date: Sun, 10 May 2026 10:51:59 -0400 Subject: [PATCH] ci(api-docs): disable uv cache to close cache-poisoning alert (#44) zizmor/cache-poisoning alert #44 fires on the setup-uv step in api-docs.yml because the workflow triggers on `push.tags: 'v*'` and setup-uv@v6 enables GitHub Actions caching by default. An actor with permission to push tags could populate the cache, which other runs across the org could then restore. The docs generation runs once per release tag, so cache hits don't justify the exposure. Disable caching with `enable-cache: false`. Source-of-truth template at resq-software/docs:automation/source-repo-templates/api-docs.python.yml should receive the same change so the next sync doesn't reintroduce the default-cached step. --- .github/workflows/api-docs.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/api-docs.yml b/.github/workflows/api-docs.yml index 24173ed..a492924 100644 --- a/.github/workflows/api-docs.yml +++ b/.github/workflows/api-docs.yml @@ -96,7 +96,16 @@ jobs: python-version: ${{ env.PYTHON_VERSION }} - name: Install uv + # Caching is disabled to close zizmor/cache-poisoning (alert + # #44). This workflow triggers on `push.tags: 'v*'`, so an + # actor able to push tags could populate the GitHub Actions + # cache; later runs across the org could then restore from a + # poisoned cache. setup-uv@v6 enables caching by default, and + # the docs generation runs only once per release tag — cache + # hits don't justify the exposure here. uses: astral-sh/setup-uv@c7f87aa956e4c323abf06d5dec078e358f6b4d04 # v6.0.0 + with: + enable-cache: false - name: Install packages + lazydocs into a venv # lazydocs imports the packages it documents, so they must