From 8a88e9f3331dae2c23ea2dccb6b67b04671dcf26 Mon Sep 17 00:00:00 2001
From: Salman Chishti <13schishti@gmail.com>
Date: Mon, 9 Mar 2026 05:35:59 -0700
Subject: [PATCH 1/2] feat: add cache-write input for read-only cache mode

Add a 'cache-write' input (default: true) that controls whether the cache
is saved at the end of the workflow. When set to 'false', the action will
restore cached dependencies but skip saving, providing a read-only cache
mode.

This is useful for preventing cache poisoning attacks from untrusted PR
builds while still benefiting from cached dependencies.
---
 action.yml               | 3 +++
 dist/cache-save/index.js | 5 +++++
 src/cache-save.ts        | 6 ++++++
 3 files changed, 14 insertions(+)

diff --git a/action.yml b/action.yml
index 7a9a7b634..29e8d1acc 100644
--- a/action.yml
+++ b/action.yml
@@ -20,6 +20,9 @@ inputs:
     default: ${{ github.server_url == 'https://github.com' && github.token || '' }}
   cache-dependency-path:
     description: "Used to specify the path to dependency files. Supports wildcards or a list of file names for caching multiple dependencies."
+  cache-write:
+    description: "Whether to save the cache at the end of the workflow. Set to false for cache read-only mode, useful for preventing cache poisoning from untrusted PR builds."
+    default: true
   update-environment:
     description: "Set this option if you want the action to update environment variables."
     default: true
diff --git a/dist/cache-save/index.js b/dist/cache-save/index.js
index 8625e0833..3c47080f1 100644
--- a/dist/cache-save/index.js
+++ b/dist/cache-save/index.js
@@ -44170,6 +44170,11 @@ const cache_distributor_1 = __nccwpck_require__(92326);
 // https://github.com/actions/cache/pull/1217
 async function run(earlyExit) {
     try {
+        const cacheWriteEnabled = core.getInput('cache-write');
+        if (cacheWriteEnabled === 'false') {
+            core.info('Cache write is disabled (read-only mode). Skipping cache save.');
+            return;
+        }
         const cache = core.getInput('cache');
         if (cache) {
             await saveCache(cache);
diff --git a/src/cache-save.ts b/src/cache-save.ts
index abeef2f30..a036fa361 100644
--- a/src/cache-save.ts
+++ b/src/cache-save.ts
@@ -9,6 +9,12 @@ import {State} from './cache-distributions/cache-distributor';
 // https://github.com/actions/cache/pull/1217
 export async function run(earlyExit?: boolean) {
   try {
+    const cacheWriteEnabled = core.getInput('cache-write');
+    if (cacheWriteEnabled === 'false') {
+      core.info('Cache write is disabled (read-only mode). Skipping cache save.');
+      return;
+    }
+
     const cache = core.getInput('cache');
     if (cache) {
       await saveCache(cache);

From b5284171bb355255370814377fe050263b856f78 Mon Sep 17 00:00:00 2001
From: Salman Chishti <13schishti@gmail.com>
Date: Mon, 9 Mar 2026 07:11:12 -0700
Subject: [PATCH 2/2] style: run prettier on cache-save.ts

---
 src/cache-save.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/cache-save.ts b/src/cache-save.ts
index a036fa361..d195c8213 100644
--- a/src/cache-save.ts
+++ b/src/cache-save.ts
@@ -11,7 +11,9 @@ export async function run(earlyExit?: boolean) {
   try {
     const cacheWriteEnabled = core.getInput('cache-write');
     if (cacheWriteEnabled === 'false') {
-      core.info('Cache write is disabled (read-only mode). Skipping cache save.');
+      core.info(
+        'Cache write is disabled (read-only mode). Skipping cache save.'
+      );
       return;
     }