Disable caching in release workflow#59
Conversation
zizmor flags cache-poisoning in workflows that publish artifacts: a poisoned cache entry restored during a release run could taint the published package. Disable mise's cache and setup-node's package manager cache in release.yml. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
📝 WalkthroughWalkthroughThe release workflow disables caching in the build and publish jobs. The build job disables mise caching, while the publish job disables both mise caching and Node package manager caching to ensure fresh tool and dependency resolution during release builds. ChangesCI Cache Disabling in Release Workflow
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/release.yml:
- Around line 22-23: The build job currently forces cache: false under the
"with" block which disables caching for all workflow events; update the workflow
so the build job does not unconditionally disable cache — either remove the
cache: false key from the build job's "with" block or make it conditional based
on the GitHub event (e.g., only disable cache for release events) so that normal
pull_request/push runs keep caching while release runs can opt out; target the
"build" job configuration and the "with: cache" setting in
.github/workflows/release.yml when making this change.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 114ff123-10d8-48fd-8143-41c9e47492ec
📒 Files selected for processing (1)
.github/workflows/release.yml
zizmor reports
cache-poisoningfindings forrelease.yml(it has arelease: publishedtrigger and publishes to npm): a poisoned cache entry restored during a release run could taint the published package. This disables mise's cache and setup-node's package-manager cache in that workflow.This also closes the open zizmor code-scanning alerts on
release.yml, which fail the code-scanning check on any PR touching those lines (as happened on the Dependabot mise-action bump in #58).🤖 Generated with Claude Code
Summary by CodeRabbit