From 6eacee21899f6bcb715063f33e78d089272feed3 Mon Sep 17 00:00:00 2001
From: Mariell Hoversholm <mariell@mardroemmar.dev>
Date: Fri, 3 Oct 2025 10:33:19 +0200
Subject: [PATCH] fix(ci): prevent cache poisoning

---
 .github/workflows/build-plugin.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build-plugin.yaml b/.github/workflows/build-plugin.yaml
index d0abc218..c427a3e5 100644
--- a/.github/workflows/build-plugin.yaml
+++ b/.github/workflows/build-plugin.yaml
@@ -33,9 +33,11 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v5
         with:
           node-version-file: .nvmrc
+          # Releases should be isolated. PRs can poison the cache.
+          package-manager-cache: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} # zizmor: ignore[cache-poisoning] # zizmor is wrong now
       - run: yarn install --frozen-lockfile
       - run: yarn run build