Describe the enhancement
Workflows that use actions/cache and are triggered by both push and pull_request (or schedule) may be susceptible to cache poisoning. The recommended mitigation is to use actions/cache/restore (read-only) in PR-triggered runs and only allow cache writes from trusted branches.
This affects 28 cache steps across:
.github/workflows/cpp.yml.github/workflows/cpp_extra.yml.github/workflows/cuda_extra.yml.github/workflows/dev.yml.github/workflows/docs.yml.github/workflows/integration.yml.github/workflows/matlab.yml.github/workflows/package_linux.yml
Component(s)
Continuous Integration
Describe the enhancement
Workflows that use
actions/cacheand are triggered by bothpushandpull_request(orschedule) may be susceptible to cache poisoning. The recommended mitigation is to useactions/cache/restore(read-only) in PR-triggered runs and only allow cache writes from trusted branches.This affects 28 cache steps across:
.github/workflows/cpp.yml.github/workflows/cpp_extra.yml.github/workflows/cuda_extra.yml.github/workflows/dev.yml.github/workflows/docs.yml.github/workflows/integration.yml.github/workflows/matlab.yml.github/workflows/package_linux.ymlComponent(s)
Continuous Integration