Skip to content

docs: Update caching recommendations to mitigate cache poisoning risks#1567

Open
chiranjib-swain wants to merge 1 commit into
actions:mainfrom
chiranjib-swain:fix/oidc-cache-security
Open

docs: Update caching recommendations to mitigate cache poisoning risks#1567
chiranjib-swain wants to merge 1 commit into
actions:mainfrom
chiranjib-swain:fix/oidc-cache-security

Conversation

@chiranjib-swain

@chiranjib-swain chiranjib-swain commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

Description:
This pull request updates the documentation in docs/advanced-usage.md to clarify and improve guidance around npm package publishing workflows, especially regarding dependency caching. The most important changes focus on reducing security risks by disabling automatic npm dependency caching and providing clear notes about its implications.

Security and caching improvements:

  • Added package-manager-cache: false to all relevant setup-node steps to explicitly disable automatic npm dependency caching and reduce the risk of cache poisoning, which could expose sensitive credentials.
  • Added a prominent note explaining why disabling npm caching is important in publishing workflows, warning that poisoned caches may expose credentials (including OIDC tokens) to attacker-controlled code.

Documentation formatting and clarity:

  • Standardized note formatting for consistency in the documentation.

Related issue:
#1445

Check list:

  • Mark if documentation changes are required.
  • Mark if tests were added or updated to cover the changes.

Copilot AI review requested due to automatic review settings June 12, 2026 05:47
@chiranjib-swain chiranjib-swain requested a review from a team as a code owner June 12, 2026 05:47
Copilot AI reviewed Jun 12, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates docs/advanced-usage.md to strengthen and clarify guidance around npm publishing workflows, specifically to reduce the risk of cache poisoning by disabling setup-node’s automatic npm caching in publishing examples.

Changes:

  • Standardizes a “Note” formatting instance for consistency.
  • Disables automatic npm caching (package-manager-cache: false) in npm publishing workflow examples.
  • Adds a security note explaining why disabling automatic npm caching is recommended in publishing workflows.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread docs/advanced-usage.md

You must also configure a **Trusted Publisher** in npm for your package/scope that matches your GitHub repository and workflow (and optional environment, if used).

> **Note**: Set `package-manager-cache: false` in publishing workflows because automatic npm caching can activate even without the `cache:` input, and a poisoned cache may expose credentials (including OIDC tokens) to attacker-controlled code.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@chiranjib-swain @HarithaVattikuti