-
Notifications
You must be signed in to change notification settings - Fork 0
chore(ci): bump actions/setup-go from 5 to 6 #63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
dependabot
wants to merge
1
commit into
main
Choose a base branch
from
dependabot/github_actions/actions/setup-go-6
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🧩 Analysis chain
🏁 Script executed:
Repository: AIX-Format/PiWorker-OS
Length of output: 1785
🏁 Script executed:
Repository: AIX-Format/PiWorker-OS
Length of output: 109
🏁 Script executed:
Repository: AIX-Format/PiWorker-OS
Length of output: 2075
🏁 Script executed:
Repository: AIX-Format/PiWorker-OS
Length of output: 5432
🌐 Web query:
actions/setup-go cache-dependency-path cache poisoning pull_request from forks write to cache💡 Result:
Summary: In GitHub Actions, cache poisoning becomes practical when untrusted code (e.g., from a forked PR) can write to the same cache entries that a more-privileged workflow later restores. Two key pieces matter for your query (setup-go + pull_request from forks + write to cache). 1) What actions/setup-go does with cache-dependency-path - actions/setup-go has built-in caching for “Go modules and build outputs”. Caching is enabled by default via its
cacheinput; you can disable it withcache: false.[1] - The cache key includes hashes of dependency files. By default, it looks forgo.modand uses its hash as part of the cache key; to usego.sum(or other files), setcache-dependency-path(supports glob patterns).[1] 2) Whether forked pull_request workflows can write to caches used elsewhere - GitHub Docs warn not to store sensitive information in caches because “Anyone with read access can create a pull request on a repository and access the contents of a cache” and “forks of a repository can create pull requests on the base branch and access caches on the base branch.”[2] - GitHub Docs also describe cache scope behavior specifically for PRs: when a workflow run is triggered for a pull request, the cache is created for the merge ref (refs/pull/.../merge), so it “can only be restored by re-runs of the pull request” and “cannot be restored by the base branch or other pull requests targeting that base branch.”[2] - Implication: with the normalpull_requestevent (and the typical security model), PR-created caches should not be a simple “write once, poison later in main” channel, because of that limited scope.[2] 3) The main way “write to cache from forks” becomes dangerous: pull_request_target - The practical “poison the cache for a later trusted run” pattern appears when workflows are triggered withpull_request_target, because it runs in the context of the base repository (so the attacker’s code can execute with base-repo permissions, including the ability to interact with cache). This is described in the TanStack cache poisoning write-up: the attack usedpull_request_targetinstead ofpull_request, noting that it runs in the context of the base repository and “can access secrets and can write to the Actions cache — even from a forked PR.”[3] 4) Mitigations that follow from the above (what to do for setup-go caching) - Security conservative mitigation: disable setup-go caching in workflows that may execute untrusted code (especially anything resemblingpull_request_target). This is explicitly recommended/implemented in a GitHub change: “disable Go module cache in agentic setup actions to prevent cache poisoning”, changingactions/setup-gousage to setcache: false(because caching enabled by default exposes a cache poisoning vector).[4] - If you need caching, isolate by context: GitHub’s cache poisoning guidance emphasizes preventing untrusted PR workflows from writing to caches used by privileged/release pipelines; one key rule is to “separate caches” so PR workflows cannot overwrite what release workflows will restore.[5] - Use restore-only patterns when appropriate: actions/cache providesactions/cache/restorethat restores but does not save (so it’s “granular ability to restore a cache without having to save it”).[6] (Separating restore and save reduces write capability from untrusted contexts.) Concrete answer to your query terms - cache-dependency-path: controls what dependency file(s) are hashed for the setup-go cache key (default usesgo.modhash; you can point it atgo.sumviacache-dependency-path).[1] - pull_request from forks write to cache: under normalpull_requestscope rules, PR-created caches are tied torefs/pull/.../mergeand aren’t restorable by base branch or other PRs, so “write to cache then have main restore it” is not straightforward.[2] - However, withpull_request_target(base repo context), forked PR code can gain access that enables cache poisoning/write scenarios.[3] Recommended workflow guidance (short) - For workflows that may run untrusted PR code (particularly anything usingpull_request_target), setcache: falseon actions/setup-go.[4][1] - For trusted workflows (main/release), you can keep caching enabled, but ensure untrusted workflows never have permission or execution context that allows them to save/poison the same cache keys that trusted workflows restore.[5][3]Citations:
Pin
actions/setup-goto an immutable commit SHA (mutable@v6in two steps).uses: actions/setup-go@v6is a mutable reference and weakens CI supply-chain integrity; pin to a full commit SHA in both thebuildandcontract-testsjobs.Suggested hardening diff
pull_request(notpull_request_target), so cross-branch cache poisoning is less straightforward; if your policy treats PR caches as untrusted, consider settingcache: falseforpull_request.🧰 Tools
🪛 zizmor (1.25.2)
[error] 57-57: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 57-57: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default
(cache-poisoning)
🤖 Prompt for AI Agents