actions · salmanmkc · Mar 9, 2026 · Copilot · Mar 9, 2026 · Copilot
@@ -59,6 +59,10 @@ inputs:
   cache-dependency-path:
     description: 'The path to a dependency file: pom.xml, build.gradle, build.sbt, etc. This option can be used with the `cache` option. If this option is omitted, the action searches for the dependency file in the entire repository. This option supports wildcards and a list of file names for caching multiple dependencies.'
     required: false
+  cache-write:
+    description: 'Whether to save the cache at the end of the workflow. Set to false for cache read-only mode, useful for preventing cache poisoning from untrusted PR builds.'
+    required: false
+    default: true
   job-status:
     description: 'Workaround to pass job status to post job step. This variable is not intended for manual setting'
     default: ${{ job.status }}

@@ -76919,6 +76919,11 @@ function removePrivateKeyFromKeychain() {
  */
 function saveCache() {
     return __awaiter(this, void 0, void 0, function* () {
+        const cacheWriteEnabled = core.getInput('cache-write');
+        if (cacheWriteEnabled === 'false') {
+            core.info('Cache write is disabled (read-only mode). Skipping cache save.');
+            return Promise.resolve();
+        }
         const jobStatus = (0, util_1.isJobStatusSuccess)();
         const cache = core.getInput(constants.INPUT_CACHE);
         return jobStatus && cache ? (0, cache_1.save)(cache) : Promise.resolve();

@@ -25,6 +25,12 @@ async function removePrivateKeyFromKeychain() {
  * @returns Promise that will be resolved when the save process finishes
  */
 async function saveCache() {
+  const cacheWriteEnabled = core.getInput('cache-write');
+  if (cacheWriteEnabled === 'false') {
+    core.info('Cache write is disabled (read-only mode). Skipping cache save.');
+    return Promise.resolve();
+  }
+
   const jobStatus = isJobStatusSuccess();
   const cache = core.getInput(constants.INPUT_CACHE);
   return jobStatus && cache ? save(cache) : Promise.resolve();