actions/cache
2
0
Fork 0
mirror of https://github.com/actions/cache.git synced 2026-06-06 17:14:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: add path validation options to restore action

Browse source
This commit is contained in:
Jason Ginchereau 2026-05-18 12:28:44 -10:00
parent 27d5ce7f10
commit dabc4c2ca1
25 changed files with 201047 additions and 164350 deletions
Download patch file Download diff file Expand all files Collapse all files

5
restore/README.md
View file

@ -11,6 +11,11 @@ The restore action restores a cache. It works similarly to the `cache` action ex
* `restore-keys` - An ordered list of prefix-matched keys to use for restoring stale cache if no cache hit occurred for key.
* `fail-on-cache-miss` - Fail the workflow if cache entry is not found. Default: `false`
* `lookup-only` - If true, only checks if cache entry exists and skips download. Default: `false`
* `strict-paths` - Client-side path-validation strictness applied when extracting a restored cache. Helps protect against some forms of cache poisoning attacks. Valid values:
* `off` - Disable path validation entirely (legacy behavior). Skipping validation may slightly improve performance for very large cache archives, but is not recommended for best security.
* `warn` *(current default)* - Pre-scan the archive and emit a workflow warning if any entry would resolve outside the declared `path` inputs. The cache is still extracted.
* `error` *(future default)* - Pre-scan the archive and reject it (without extracting) if any entry would resolve outside the declared `path` inputs.
* `fail-on-cache-invalid` - Fail the workflow when a restored cache is rejected by client-side validation (entries that escape the declared paths, or an archive that cannot be parsed). Only applies when `strict-paths: error` is set; the `off` and `warn` modes never reject a cache. When `false` (default) the rejected cache is treated as a cache miss.
### Outputs

17
restore/action.yml
View file

@ -23,6 +23,23 @@ inputs:
description: 'Check if a cache entry exists for the given input(s) (key, restore-keys) without downloading the cache'
default: 'false'
required: false
strict-paths:
description: |
Controls client-side validation of cache archive entry paths before extraction.
'off' disables validation (legacy behavior). 'warn' logs a single warning when any
entry would resolve outside the declared `path` inputs and still extracts the cache.
'error' rejects the cache with a CacheIntegrityError and skips extraction entirely.
Default is 'warn'.
default: 'warn'
required: false
fail-on-cache-invalid:
description: |
Fail the workflow if the restored cache is rejected by client-side path validation
(entries that escape the declared paths, or an archive that cannot be parsed).
Only applies when `strict-paths` is 'error'; the 'off' and 'warn' modes never
reject a cache. When 'false' (default), a rejected cache is treated as a cache miss.
default: 'false'
required: false
outputs:
cache-hit:
description: 'A boolean value to indicate an exact match was found for the primary key'