Skip to content

GH Actions: avoid cache poisoning#434

Merged
jrfnl merged 1 commit intotrunkfrom
JRF/ghactions-deploy-dont-use-cached-state
Dec 31, 2025
Merged

GH Actions: avoid cache poisoning#434
jrfnl merged 1 commit intotrunkfrom
JRF/ghactions-deploy-dont-use-cached-state

Conversation

@jrfnl
Copy link
Copy Markdown
Contributor

@jrfnl jrfnl commented Dec 31, 2025

Context

  • Improve CI security

Summary

This PR can be summarized in the following changelog entry:

  • Improve CI security

Relevant technical choices:

Caching and restoring build state is a process eased by utilities provided by GitHub, in particular actions/cache and its "save" and "restore" sub-actions. In addition, many of the setup-like actions provided by GitHub come with built-in caching functionality, like actions/setup-node, actions/setup-java and others.

This vulnerability happens when release workflows leverage build state cached from previous workflow executions, in general on top of the aforementioned actions or similar ones. The publication of artifacts usually happens driven by trigger events like release or events with path filters like push (e.g. for tags).

In such scenarios, an attacker with access to a valid GITHUB_TOKEN can use it to poison the repository's GitHub Actions caches. That compounds with the default behavior of actions/toolkit during cache restorations, allowing an attacker to retrieve payloads from poisoned cache entries, hence achieving code execution at Workflow runtime, potentially compromising ready-to-publish artifacts.

This commit removes the use of cached build states from the deploy workflow.

Refs:

Test instructions

Test instructions for the acceptance test before the PR gets merged

This PR can be acceptance tested by following these steps:

  • N/A

@jrfnl
GH Actions: avoid cache poisoning
ddd1f1b 
> Caching and restoring build state is a process eased by utilities provided by GitHub, in particular actions/cache and its "save" and "restore" sub-actions. In addition, many of the setup-like actions provided by GitHub come with built-in caching functionality, like actions/setup-node, actions/setup-java and others.
>
> This vulnerability happens when release workflows leverage build state cached from previous workflow executions, in general on top of the aforementioned actions or similar ones. The publication of artifacts usually happens driven by trigger events like release or events with path filters like push (e.g. for tags).
>
> In such scenarios, an attacker with access to a valid GITHUB_TOKEN can use it to poison the repository's GitHub Actions caches. That compounds with the default behavior of actions/toolkit during cache restorations, allowing an attacker to retrieve payloads from poisoned cache entries, hence achieving code execution at Workflow runtime, potentially compromising ready-to-publish artifacts.

This commit removes the use of cached build states from the `deploy` workflow.

Refs:
* https://docs.zizmor.sh/audits/#cache-poisoning
* https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/
* https://adnanthekhan.com/2024/12/21/cacheract-the-monster-in-your-build-cache/
@jrfnl jrfnl added this to the 4.6 milestone Dec 31, 2025
@jrfnl jrfnl merged commit 9e3e1a9 into trunk Dec 31, 2025
7 checks passed
@jrfnl jrfnl deleted the JRF/ghactions-deploy-dont-use-cached-state branch December 31, 2025 19:53
@jrfnl jrfnl mentioned this pull request Jan 2, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

changelog: non-user-facing yoast cs/qa

Projects

None yet

Milestone

4.6

Development

Successfully merging this pull request may close these issues.

1 participant

@jrfnl