Help Us Improve GitHub Actions Cache Isolation 🔧 #194493

samus-aran · 2026-05-01T11:21:10Z

samus-aran
May 1, 2026
Maintainer

Actions Cache

TLDR;

We’re exploring a new cache-mode setting for GitHub Actions Cache at the workflow and job level.
The goal is to reduce cache poisoning risk while keeping today’s behavior as the default.
Proposed values: write, read, and none.
We’re looking for feedback on naming, usability, migration, and visibility.

Hi everyone 👋

We are exploring a change to GitHub Actions Cache and we want your opinion before we finalize the design. This post focuses on the first phase of work. Please share thoughts, concerns, and alternatives in the comments.

The problem

If you use GitHub Actions Cache today, every workflow that runs on your repository can write to the same shared cache namespace for a branch. That includes workflows triggered by pull requests, issue comments, scheduled jobs, and AI or agent driven workflows that may execute untrusted input.

Note on existing protections. Actions Cache already enforces some scoping rules today. In particular, a workflow run from a pull request branch cannot read or overwrite cache entries on a protected base branch such as main. See Restrictions for accessing a cache for the current behavior. The proposal in this document is about giving workflow authors an explicit, declarative control on top of those existing scoping rules, so a workflow can opt out of cache writes (or cache access entirely) regardless of trigger.

The cache credential (ACTIONS_RUNTIME_TOKEN) is handed to every workflow run automatically. It is issued independently of:

the permissions: block on your workflow or job,
the secrets you have or have not exposed,
the runner you choose, and
any other workflow hardening you have already done.

That means a workflow you consider untrusted can still place content into the cache (within the scoping rules linked above). A later workflow you consider trusted, such as your release pipeline, may then restore that content as part of its build. The workflow ends up consuming inputs it never produced and never reviewed.

The customer impact:

Your release builds can be influenced by code paths you never intended to trust.
Build attestations such as SLSA provenance or Sigstore signatures still pass, because the build ran where and when you said it would. They do not detect that the inputs were tampered with through the cache.
You currently have no workflow level switch to say "this workflow is allowed to read cache but not write it" or "this workflow should not touch the cache at all."
Independent security research by Adnan Khan has documented how these scoping rules can still be bypassed in practice — see CI/CD Pipeline Cache Poisoning and Compromising Angular via the Dev Infrastructure for concrete examples. This proposal gives workflow authors an explicit, declarative control on top of those existing scoping rules.

We want to close that gap, and we want to do it in a way that does not break the workflows you have today.

What we are proposing

A new key called cache-mode that you can set at the workflow level, the job level, or both. It accepts three values:

Value	Behavior
`write`	Restore and save are both allowed. This is the current behavior and remains the default.
`read`	Restore is allowed. Save is rejected by the cache service.
`none`	No cache access at all.

Key properties of the proposal:

Default stays as write. Nothing changes for existing workflows unless you opt in.
Job level overrides workflow level. You can set a safe default for the whole workflow and relax or tighten it on specific jobs.
Enforcement happens in the cache service. When cache-mode is read or none, the runtime token issued for the job carries restricted cache claims. The cache service validates them. No action, script, or step can bypass the declared mode.
Existing branch scoping is preserved. This proposal layers on top of the existing cache scoping rules; it does not loosen them.
Runtime signals are exposed so workflow authors and action authors can adapt:
- Expression context: job['cache-mode'] (use bracket syntax because the key contains a hyphen)
- Environment variable: ACTIONS_CACHE_MODE with value read, write, or none

Setup actions such as actions/setup-node or actions/setup-python can read ACTIONS_CACHE_MODE during their post job step and skip the tar and compression work entirely when writes are not allowed, so you do not pay for I/O you cannot use and you do not see confusing authorization errors in your logs.

Example workflows

Scenario 1. Workflow level default of `read` for a pull request check

File: .github/workflows/pr-check.yml

name: PR Check
on: pull_request

# This whole workflow can restore from cache but cannot write to it.
cache-mode: read

jobs:
  pr-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - uses: actions/setup-node@v6
        with:
          node-version: 20
          cache: npm
      - run: npm ci
      - run: npm test

Scenario 2. A single job overrides the workflow default to `none`

File: .github/workflows/pr-check-isolated.yml

name: PR Check (isolated job)
on: pull_request

cache-mode: read

jobs:
  pr-check:
    runs-on: ubuntu-latest
    # This job runs untrusted input. Give it no cache access at all.
    cache-mode: none
    steps:
      - uses: actions/checkout@v6
      - run: ./scripts/run-untrusted.sh

Scenario 3. Trusted release job explicitly opts into `write`

File: .github/workflows/release.yml

name: Release
on:
  push:
    branches: [main]
  workflow_dispatch:

# Default the workflow to read only...
cache-mode: read

jobs:
  build:
    runs-on: ubuntu-latest
    # ...but allow the release build to populate the cache.
    cache-mode: write
    steps:
      - uses: actions/checkout@v6
      - uses: actions/setup-node@v6
        with:
          node-version: 20
          cache: npm
      - run: npm ci
      - run: npm run build
      - run: npm publish
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

Scenario 4. Runtime detection for conditional cache saves

File: .github/workflows/conditional-save.yml

name: Build with conditional cache save
on: [push, pull_request]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6

      - id: cache-restore
        uses: actions/cache/restore@v6
        with:
          path: ~/.cache/build
          key: build-${{ hashFiles('**/lockfile') }}

      - run: ./scripts/build.sh

      # Only attempt to save when this job is actually allowed to write.
      # Note: bracket syntax is required because the key contains a hyphen.
      - if: ${{ job['cache-mode'] == 'write' }}
        uses: actions/cache/save@v4
        with:
          path: ~/.cache/build
          key: build-${{ hashFiles('**/lockfile') }}

Scenario 5. Agentic Workflows that should never write cache

GitHub recommends running AI agents inside Agentic Workflows rather than wiring "naked" agents directly into ordinary workflows triggered by issue_comment or similar events. Agentic Workflows already provide isolation and policy controls for untrusted natural language input. cache-mode: none is a complementary defense in depth: even an Agentic Workflow that would not normally need cache access can declare it explicitly, so the cache surface is removed entirely from the agent's environment.

File: .github/workflows/agentic.yml

name: Agentic Workflow
on: workflow_dispatch

# Defense in depth: this workflow has no business touching shared cache.
cache-mode: none

jobs:
  agent:
    runs-on: ubuntu-latest
    permissions: {}
    steps:
      - uses: actions/checkout@v6
      - run: ./scripts/run-agent.sh

Questions we want your opinion on

Naming. Is cache-mode the clearest name, or is there a name that would communicate the intent better? What alternatives have you considered?
Values. Are read, write, and none the right set, or do you need finer granularity such as per key or per scope rules?
Action authors. If you maintain a setup or cache style action, is reading ACTIONS_CACHE_MODE in your post job step workable for you? What is missing, awkward, or duplicative with what you already do?
Visibility. How (if at all) would you want the effective cache-mode surfaced outside the workflow file, for example in run summaries, the API, or audit logs? What problem would that solve for your team, and where would extra surface area get in the way?
Migration. What does adoption look like in your repos today? Are there workflows where you would not adopt this even if it were available, and why? What tooling, defaults, or guidance (if any) would change that calculus?

Note

Phase 1 only ships the workflow level cache-mode key, which means any author can opt in today without admin involvement. We know that to make read a secure default across an org or enterprise, admins also need a policy control. Something like a per org default value plus an allow list of repos or workflows that may declare write. We are intentionally scoping that out of Phase 1 so we can get the workflow contract right first, but we want your input on what that policy surface should look like. See question 6 below.

If something here does not match how your team uses Actions Cache, we want to hear it. The goal of Phase 1 is to give you a switch you can use today without forcing changes on anyone who is happy with the current behavior.

Thanks for reading 🙏

AdnaneKhan · 2026-05-04T21:49:23Z

AdnaneKhan
May 4, 2026

This is a great start!

Some feedback:

Please allow repository or organization administrators to set repository level default cache modes and expose this setting via an API. If the workflow does not configure a setting, then the workflow uses this repository level value. This makes it easier to cut down on risk on non-caching workflows being able to poison caches because someone back-doored an upstream.
The options should be: read, write (ONLY write, does not have a restore hit), read-write, and none.

If a workflow has a setting like the one in the example then a nightly build that uses cache write (common and probably desired) could end up poisoning a workflow such as the below.

   runs-on: ubuntu-latest
    # ...but allow the release build to populate the cache.
    cache-mode: write
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: npm
      - run: npm ci
      - run: npm run build
      - run: npm publish
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

To encourage true SLSA L3 compliance the guidance for publication should be to not use caching or use it in write mode. Even better? The NPM CLI should create a warning when it is publishing to NPM in a workflow with cache consumption & the workflow had a cache hit prior.

The cache mode should be included in Sigstore transparency logs (so part of the JWT) so downstream users can easily verify the cache exposure risk of packages published to registries with provenance.

5 replies

Steve-Glass May 5, 2026
Collaborator

Please allow repository or organization administrators to set repository level default cache modes and expose this setting via an API. If the workflow does not configure a setting, then the workflow uses this repository level value. This makes it easier to cut down on risk on non-caching workflows being able to poison caches because someone back-doored an upstream.

Agree and policy is definitely a priority for later phases. Scoping that for the upcoming planning cycle, but our goal is to ship this proposal first and incrementally improve.

The options should be: read, write (ONLY write, does not have a restore hit), read-write, and none.

Makes sense 😄

The cache mode should be included in Sigstore transparency logs (so part of the JWT) so downstream users can easily verify the cache exposure risk of packages published to registries with provenance.

Appreciate the feedback here. Will dig into ☝️

gregose May 7, 2026

To encourage true SLSA L3 compliance the guidance for publication should be to not use caching or use it in write mode.

@AdnaneKhan thanks for highlighting the use case for a discrete write-only permission. Previously, I had been focused on the none/read isolation set on untrusted workflows to prevent escalation. However, as you point out, instead of relying on all less-trusted workflows setting read or none, you can get this guarantee by disabling read on the privileged workflow. Without a discrete write and read-write permission, there may be some sensitive workflows wouldn't be able to get this isolation if they need write only cache access. Thanks again for all of your contributions to this vulnerability space!

ericsciple May 7, 2026

@AdnaneKhan can you help me understand a concrete scenario for a write-only token?

AdnaneKhan May 11, 2026

@ericsciple certainly!

The use case I envision for a write-only token is a repository that performs releases from the main (or other default) branch along with strict pull request approval requirements and deployment environment controls. This workflow could set a "golden cache" entry that nightly workflows, pull requests, etc. have cache hits from.

Write-only cache permissions won't be perfect for every use case; but this approach (when deployed properly) would allow teams to have similar integrity assurance for their main branch caches as they do for release artifacts.

Additionally; I hope GitHub considers a more aggressive approach to cache security for public repositories by defaulting to no caching after a period of time. Perhaps after 6 months any workflows without cache permissions set would default to no cache access. Otherwise the problem never really goes away because LLMs generate workflows without caching, they work fine, and these risks continue.

ericsciple May 12, 2026

@AdnaneKhan I'm wondering if CI on main would typically read/write the cache instead. Updating the cache on main CI would produce a better cache hit for PRs, rather than waiting for a release to update the cache.

pinfloyd · 2026-05-04T22:28:52Z

pinfloyd
May 4, 2026

This looks like the right direction.

One framing that may help: cache access is not only a performance feature. It is an execution authority surface. If a workflow can write to a shared cache, it can influence future executions that may run in a more trusted context. That means cache-mode is effectively part of the authority granted to the workflow before execution starts.
From that angle, I think read, write, and none are useful, but I would strongly consider separating “restore” and “save” semantics explicitly. A workflow that can save but not restore is not the same risk profile as one that can restore and save. I also agree with exposing the effective cache mode outside the workflow file. For provenance, audit, and downstream verification, it would be useful to know whether a published artifact was built after consuming cache, writing cache, or with cache fully disabled.

So my main suggestion is:

make the effective cache authority visible before execution and record it after execution. That would make cache-mode not just a workflow option, but a pre-execution admission signal for whether this run should be allowed to interact with shared cache at all.

0 replies

jsoref · 2026-05-05T03:16:21Z

jsoref
May 5, 2026

This is off-topic, but please note that your examples are pinned to checkout@v4 just like actions/starter-workflows: https://github.com/search?q=repo%3Aactions%2Fstarter-workflows+checkout%40v&type=code -- it's a great example of github poisoning everyone's cache by pinning garbage.

The actions team could do the world a service by fixing the starter-workflows repository to be remotely current. Then fewer people would pay money to run dependabot to update to remotely current versions of things like actions/checkout. And similarly, Agents would be less inclined to suggest using actions/checkout@v4 (which they regularly do).

0 replies

jsoref · 2026-05-05T03:16:25Z

jsoref
May 5, 2026

The idea of a none is welcome. I'd rather cache or caching than cache-mode if only to avoid having to use ['cache-mode'] which is such a PITA.

cache: readable | writable | none

Not using read / write helps avoid confusion with permissions fields as this isn't a permissions field.

Personally, I've removed all use of cache from my action a long time ago because it's too dangerous and the speedup it gets wasn't worth the risk it introduced. (For bigger systems, the problem is more interesting.)

In general, I don't think I like the cache model at all. Unless I can access the contents of the cache to inspect it later, it's useless to me. And the core problem w/ the cache is that people can flush it and race it and things. My approach has been to use persistent stores instead because those give me the properties I care about. -- I can achieve more of that today by using immutable releases and just making a releases out of any artifact I want to reuse.

If you have time to work on cache, please provide a way to download the cache Add a way to download github actions caches cli/cli#9125 (preferably from the web ui, not something that requires gh).

0 replies

hardikkaurani · 2026-05-07T17:03:04Z

hardikkaurani
May 7, 2026

This is a really valuable improvement direction, especially for supply-chain security and reproducible CI/CD pipelines.

One additional improvement that could help significantly is adding cache provenance visibility. Right now, workflows can restore caches without clearly showing:
• which workflow originally created the cache
• which branch populated it
• whether the cache came from a trusted or untrusted context

Having that metadata exposed directly in workflow logs or the Actions UI would make debugging and trust decisions much easier.

I also strongly agree with the concern around cache poisoning risks in release or publishing workflows. In many projects, caches are restored before publishing artifacts or packages, which can become risky if upstream dependencies or cache writers are compromised.

GitHub’s current cache documentation already mentions branch-scoped behavior, but more granular trust controls would be extremely useful:
https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows

Some ideas that could improve this further:
• allow restoring caches only from protected branches
• separate cache trust policies for fork PRs
• workflow-level cache isolation
• organization-wide cache policy defaults
• warnings when cache restore + package publishing happen in the same workflow

Another useful enhancement could be exposing cache provenance through the API, similar to artifact metadata, which would help larger organizations audit CI behavior more effectively.

From a SLSA and software supply-chain perspective, this direction makes a lot of sense:
https://slsa.dev/

Overall, this looks like a strong step toward safer and more predictable GitHub Actions caching behavior.

0 replies

hardikkaurani · 2026-05-07T17:22:25Z

hardikkaurani
May 7, 2026

This is a really valuable improvement direction, especially from a supply-chain security and CI integrity perspective.

One thing that could improve this proposal even further is adding cache provenance visibility directly inside the Actions UI and API. Right now, when a workflow restores a cache, there is very little visibility into:
• which workflow originally created the cache
• which branch or trigger populated it
• whether the cache came from a trusted or untrusted execution context
• when the cache was last modified

Exposing that metadata would make debugging and trust decisions significantly easier for maintainers and security teams.

I also strongly agree with the concern around cache poisoning risks in publishing and release workflows. Many projects restore dependency caches before publishing artifacts or packages, and that can become dangerous if less-trusted workflows are able to influence shared cache state.

The proposed direction of separating cache authority from general workflow permissions makes a lot of sense. In practice, cache access behaves more like an execution trust boundary than just a performance optimization feature.

Some additional ideas that could strengthen this further:
• allow restoring caches only from protected branches
• organization-wide default cache policies
• separate cache trust behavior for fork PR workflows
• cache provenance visibility in workflow summaries
• audit log support for cache writes/restores
• warnings when package publishing occurs after restoring shared caches

It may also be useful to expose cache provenance information through the API, similar to artifacts metadata, so larger organizations can audit CI behavior programmatically.

Relevant references:
https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows
https://slsa.dev/

Overall, this feels like a strong step toward safer and more predictable GitHub Actions caching behavior without breaking existing workflows.

0 replies

wrslatz · 2026-05-12T02:10:03Z

wrslatz
May 12, 2026

A couple quick points

maybe cache-permission or cache-access would be clearer than cache-mode, though not by much
being able to restrict workflows further to accessing specific cache keys, both read and write, would add an extra layer of security support when needed

0 replies

Help Us Improve GitHub Actions Cache Isolation 🔧 #194493

Uh oh!

Uh oh!

samus-aran May 1, 2026 Maintainer

Actions Cache

The problem

What we are proposing

Example workflows

Scenario 1. Workflow level default of read for a pull request check

Scenario 2. A single job overrides the workflow default to none

Scenario 3. Trusted release job explicitly opts into write

Scenario 4. Runtime detection for conditional cache saves

Scenario 5. Agentic Workflows that should never write cache

Questions we want your opinion on

Replies: 7 comments · 5 replies

Uh oh!

Uh oh!

Uh oh!

Steve-Glass May 5, 2026 Collaborator

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

samus-aran
May 1, 2026
Maintainer

Scenario 1. Workflow level default of `read` for a pull request check

Scenario 2. A single job overrides the workflow default to `none`

Scenario 3. Trusted release job explicitly opts into `write`

Replies: 7 comments 5 replies

Steve-Glass May 5, 2026
Collaborator