Skip to content

fix: disable Go module cache in agentic setup actions to prevent cache poisoning#19865

Merged
pelikhan merged 3 commits intomainfrom
copilot/emit-readonly-setup-actions
Mar 6, 2026
Merged

fix: disable Go module cache in agentic setup actions to prevent cache poisoning#19865
pelikhan merged 3 commits intomainfrom
copilot/emit-readonly-setup-actions

Conversation

Copy link
Contributor

Copilot AI commented Mar 6, 2026
edited
Loading

Agentic workflows using actions/setup-go had caching enabled by default (cache: true), exposing a cache poisoning vector via prompt injection. Node.js already mitigated this with package-manager-cache: false; Go now follows the same pattern.

Changes

  • runtime_definitions.go: Add cache: false to Go's ExtraWithFields — disables caching for version-based Go setups (matches Node.js's package-manager-cache: false pattern)
  • runtime_step_generator.go: Change cache: truecache: false in the go-version-file special-case path
  • runtime_setup_test.go: Assert cache: false for all three Go setup variants (explicit version, default version, go.mod file)
  • smoke-copilot.golden: Regenerated — auto-generated "Setup Go" step now emits cache: false; the pre-agent "Setup Go for CLI build" step (runs before agent execution) intentionally retains cache: true
# Before
- name: Setup Go
  uses: actions/setup-go@...
  with:
    go-version: '1.25'
    # no cache field → defaults to true

# After
- name: Setup Go
  uses: actions/setup-go@...
  with:
    go-version: '1.25'
    cache: false

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE x_amd64/compile git rev-�� --show-toplevel x_amd64/compile /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw gh ode_modules/.bin--show-toplevel /opt/hostedtoolcache/node/24.14.0/x64/bin/node /tmp�� vars.MY_VAR git /usr/bin/git --show-toplevel ache/node/24.14.rev-parse x_amd64/vet git (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw 64/pkg/tool/linu-p /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel ache/go/1.25.0/xGO111MODULE /opt/hostedtoolcache/node/24.14.0/x64/bin/node 2545512/b399/_pkgit GO111MODULE 64/bin/go node /tmp�� /tmp/TestHashStability_SameInputSameOutput1898861925/001/stability-test.md resolved$ /usr/bin/git 4wXJ/4MWVMo_oiDJgit GO111MODULE 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel git /opt/hostedtoolcache/node/24.14.0/x64/bin/node --show-toplevel go /usr/bin/git node /tmp�� /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/ai-moderator.md git /usr/bin/git --show-toplevel go /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel /usr/lib/git-correv-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/lib/git-cor--show-toplevel git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha -json GO111MODULE (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha ./... git /opt/hostedtoolcache/uv/0.10.8/x86_64/node --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git node /opt�� prettier --write /home/REDACTED/work/_temp/ghcca-node/node/bin/sh --ignore-path .prettierignore --log-level=erro--show-toplevel sh (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --show-toplevel git n-dir/bash --get remote.origin.urrev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel node /usr/bin/git prettier --check 64/bin/go git remo�� add origin /usr/bin/git -e -f 64/bin/go /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel tr/ytUgHB2WOGAJoX6mK9KE/Es5JHOhs-importcfg /usr/bin/git -json GO111MODULE ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/git .version=b0ff945git GO111MODULE ache/go/1.25.0/x--show-toplevel git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha /tmp/gh-aw-test-runs/20260306-133543-27740/test-4200610508/.github/workflows config /tmp/go-build1153526211/b413/repoutil.test remote.origin.urgit GO111MODULE 64/bin/go /tmp/go-build1153526211/b413/repoutil.test -tes�� -test.paniconexit0 -test.v=true ache/node/24.14.0/x64/bin/node -test.timeout=10git -test.run=^Test -test.short=true--show-toplevel ache/node/24.14.0/x64/bin/node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel go /usr/bin/git 659626943/.githugit GO111MODULE x_amd64/compile git rev-�� --show-toplevel x_amd64/compile /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE go ache�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha 23a0315c8ed0011dGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/xGO111MODULE env 2545512/b401/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE b/gh-aw/pkg/pars-atomic GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha g/testutil/tempdGOINSECURE GO111MODULE 64/bin/go GOINSECURE erignore GOMODCACHE ache/go/1.25.0/xGO111MODULE env 2545512/b414/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE b/gh-aw/pkg/time-atomic GOMODCACHE go (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha k/gh-aw/gh-aw/pkg/styles/theme.go k/gh-aw/gh-aw/pkg/styles/theme_test.go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile remote.origin.urgit GO111MODULE 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile -o /tmp/go-build1153526211/b418/_pkg_.a l /opt/hostedtoolcache/node/24.14.0/x64/bin/node -p github.com/githurev-parse -lang=go1.25 node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha : ${{ github.repository }} --jq /usr/bin/git --show-toplevel sG2IcS8sxHGwQMjkrev-parse /usr/bin/git git rev-�� runs/20260306-133740-32455/test-139313136 git clusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle ath ../../../.prgit go er git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel git 71156bc957802433533f2c4d3ab3aeaa16a833d59b31e2834844c1c287a367e2-d user.email test@example.comrev-parse /usr/bin/git git rev-�� --show-toplevel git ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet --show-toplevel git /usr/bin/git ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel -tests /usr/bin/infocmp ck '**/*.cjs' '*git GO111MODULE 64/bin/go infocmp -1 xterm-color VmaEewr479zV /usr/bin/infocmp e=false GO111MODULE 64/bin/go infocmp (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel ache/go/1.25.0/xrev-parse (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel git ptables /usr/bin/gh git /usr/bin/git git rev-�� --show-toplevel git ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet --git-dir git /usr/bin/git ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha g/repoutil/repoutil.go g/repoutil/repoutil_test.go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha rite '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path git ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet --show-toplevel go /usr/bin/git ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet rev-�� --show-toplevel git /home/REDACTED/node_modules/.bin/sh ./../.prettieriggit go /usr/bin/git sh (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha install --package-lock-only /usr/bin/git /tmp/TestHashCongit git /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel node /usr/bin/sed /home/REDACTED/worgit git /opt/hostedtoolc--show-toplevel sed (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go estl�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 git ules/.bin/sh --show-toplevel sh /usr/bin/git git rev-�� *.json' '!../../../pkg/workflow/js/**/*.json' --- git 64/pkg/tool/linux_amd64/link --show-toplevel go /usr/bin/git 64/pkg/tool/linux_amd64/link (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 git tions/setup/node_modules/.bin/node --git-dir /tmp/go-build115config /usr/bin/git git 0/x6�� --show-toplevel git .test son go /usr/bin/git .test (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 git tions/node_modules/.bin/node --show-toplevel node /usr/bin/git ns-lock.json doetest@example.com 0/x6�� --show-toplevel git 64/pkg/tool/linux_amd64/vet son go /usr/bin/git 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 git f1dea446286b8a841b10ac1c9786e663cd44bc1d3073875b-d --show-toplevel sh /usr/bin/git git rev-�� *.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path ../../../.prettierignore git k/_temp/uv-python-dir/bash --show-toplevel go /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go estl�� -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 git h --show-toplevel sh /opt/hostedtoolc--show-toplevel git rev-�� *.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path ../../../.prettierignore node ache/uv/0.10.8/x86_64/bash /home/REDACTED/worgit go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go estl�� -json GO111MODULE 64/bin/go Action pins syngit GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 git /usr/bin/git --show-toplevel sh /opt/hostedtoolc--show-toplevel git rev-�� *.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path ../../../.prettierignore node cal/bin/bash /home/REDACTED/wor/opt/hostedtoolcache/node/24.14.0/x64/bin/node go /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go estl�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 git 0/x64/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/sh --show-toplevel sh /opt/hostedtoolcache/node/24.14./repos/actions/github-script/git/ref/tags/v8 git rev-�� *.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path ../../../.prettierignore node ache/go/1.25.0/x64/bin/bash /home/REDACTED/worgit go /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path heck '**/*.cjs' GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD ode-gyp-bin/sh go env ck 'scripts/**/*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE ; \ fi (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE OhGqih4/C5EvyQA3status env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 3896122825/.github/workflows GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.0/x-bool git rev-�� js/**/*.json' ---errorsas ache/go/1.25.0/x-ifaceassert /usr/bin/git log.showsignaturgit log /opt/hostedtoolc--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel git /usr/bin/git 3740-32455/test-git git .cfg git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git on git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha h ../../../.pret.prettierignore nly /usr/bin/git -json GO111MODULE /opt/hostedtoolcpkg/workflow/data/action_pins.json git rev-�� --show-toplevel go /usr/bin/git -json l /opt/hostedtoolc/tmp/gh-aw-test-runs/20260306-133740-32455/test-2634080709/.github/workflows git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha e=false GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE vR9G2fZENsH9 env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha 2545512/b391/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env eBfC/LgVBKHeZk7B-errorsas GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 2545512/b391/imp-tests (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha 2545512/b358/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE b/gh-aw/pkg/math-atomic GOMODCACHE go env IsiN/-5Z7JdU1nRt-errorsas GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 2545512/b358/imprev-parse (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha h ../../../.prettierignore I_9a60CKVjggF/xhVqh7QChbBs18WVNtQl/oquH83jWyDYw0zAo1mM_/ucRcfTiI_9a60CKVjggF /usr/bin/git runs/20260306-13/bin/sh GO111MODULE 0/x64/bin/node git rev-�� --show-toplevel go /usr/bin/git ithub/workflows/git GO111MODULE /tmp/go-build115/tmp/gh-aw-test-runs/20260306-133740-32455/test-1025010834/.github/workflows git (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha re --log-level=e!../../../pkg/workflow/js/**/*.json go /usr/bin/git -json GO111MODULE 0/x64/bin/node git rev-�� js/**/*.json' --ignore-path ../../../.prettierignore 0/x64/bin/node /usr/bin/git GOPATH GOPROXY /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git ache/node/24.14.--show-toplevel git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git on git (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion --show-toplevel /opt/hostedtoolcrev-parse /usr/bin/git git tion�� --show-toplevel /usr/bin/git son ignore ^remote\..*\.gh--1 /usr/bin/git git (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE go m/_n�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD ode-gyp-bin/sh go m/_n�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo /usr/bin/git -json GO111MODULE /opt/hostedtoolc--write git rev-�� ath ../../../.pr**/*.json go /usr/bin/git -json GO111MODULE ache/go/1.25.0/x"prettier" --write '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' ---errorsas git (http block)
  • https://api.github.com/repos/owner/repo/contents/file.md
    • Triggering command: /tmp/go-build1153526211/b383/cli.test /tmp/go-build1153526211/b383/cli.test -test.testlogfile=/tmp/go-build1153526211/b383/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE ortcfg k/gh�� g/cli/access_logGOINSECURE g/cli/actionlintGOMOD 64/bin/go GOINSECURE GOMOD erignore ache/go/1.25.0/xGO111MODULE (http block)
    • Triggering command: /tmp/go-build1384169738/b383/cli.test /tmp/go-build1384169738/b383/cli.test -test.testlogfile=/tmp/go-build1384169738/b383/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true -json GO111MODULE Name,createdAt,s"prettier" --write '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pret.prettierignore git rev-�� --show-toplevel go /usr/bin/git "; \ else \ echo "��� Warning: .github/aw/actions-lock.json does not exist yet"; \ fi GO111MODULE /opt/hostedtoolcprettier git (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ck 'scripts/**/*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name --show-toplevel sG2IcS8sxHGwQMjkNo/JgktWMlNKvzgJOhGqih4/C5EvyQA3status /usr/bin/git 86 GO111MODULE g_.a git rev-�� ath ../../../.pr**/*.json go er runs/20260306-13sh GO111MODULE 3526211/b364/vet"prettier" --write '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' ---errorsas git (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

The runtime manager should emit setup actions with readonly mode for caches (actions/setup-node ...). The caches from an agentic should be readonly to prevent cache poisoning by a prompt injection.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@pelikhan
fix: disable Go caching in agentic setup actions to prevent cache poi…
f0cdf4c 
…soning

The runtime manager previously emitted setup actions for Go with
cache enabled (cache: true), creating a cache poisoning vulnerability
via prompt injection. This change:

- Sets cache: false in Go's ExtraWithFields (for all Go setups)
- Sets cache: false in the go.mod special case path
- Updates tests and golden files to match the new behavior

Node.js already had package-manager-cache: false for the same reason.
Go now follows the same security practice.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Emit setup actions with readonly mode for caches fix: disable Go module cache in agentic setup actions to prevent cache poisoning Mar 6, 2026
@pelikhan
Copy link
Contributor

pelikhan commented Mar 6, 2026

@copilot investigate if you can get "read only" caches.

Copy link
Contributor Author

Copilot AI commented Mar 6, 2026

@copilot investigate if you can get "read only" caches.

Investigated: neither actions/setup-go nor actions/setup-node expose a read-only/restore-only cache mode (confirmed for v4–v6). The cache parameter is binary — true (restore + save) or false (disabled).

The actions/cache/restore restore-only variant exists, but setup actions use internal caching with runtime-computed keys (e.g., hash of go.mod/go.sum), so it can't be cleanly wired to a separate restore-only step without tight coupling to the action's internal key format.

cache: false remains the correct security-conservative approach here. The cache-memory feature already uses actions/cache/restore for its own readonly caches, but that's a different code path where we control the key.

@pelikhan pelikhan marked this pull request as ready for review March 6, 2026 14:47
Copilot AI review requested due to automatic review settings March 6, 2026 14:47
Copilot AI reviewed Mar 6, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Disables actions/setup-go module caching in agentic workflow-generated setup steps to reduce cache-poisoning risk (aligning Go behavior with the existing Node.js cache-hardening approach).

Changes:

  • Default Go runtime setup steps now emit cache: false (including the go-version-file path).
  • Tests updated to assert cache: false across Go setup variants.
  • Regenerated workflow goldens/lockfiles to reflect the new emitted YAML.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
pkg/workflow/runtime_definitions.go Adds Go ExtraWithFields.cache=false so generated setup-go steps disable caching by default.
pkg/workflow/runtime_step_generator.go Switches the go-version-file special-case to emit cache: false.
pkg/workflow/runtime_setup_test.go Updates assertions to expect cache: false for Go setup steps.
pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden Updates golden output to include cache: false on the generated “Setup Go” step.
.github/workflows/smoke-test-tools.lock.yml Updates pinned workflow to include cache: false for setup-go.
.github/workflows/smoke-copilot.lock.yml Updates pinned workflow to include cache: false for setup-go.
.github/workflows/smoke-copilot-arm.lock.yml Updates pinned workflow to include cache: false for setup-go.
.github/workflows/smoke-codex.lock.yml Updates pinned workflow to include cache: false for setup-go.
.github/workflows/smoke-claude.lock.yml Updates pinned workflow to include cache: false for setup-go.
.github/workflows/dead-code-remover.lock.yml Updates pinned workflow to include cache: false for setup-go.
.github/workflows/daily-copilot-token-report.lock.yml Updates pinned workflow to include cache: false for setup-go.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

pkg/workflow/runtime_step_generator.go
Comment on lines 101 to 105
if runtime.ID == "go" && req.GoModFile != "" {
step = append(step, " with:")
step = append(step, " go-version-file: "+req.GoModFile)
step = append(step, " cache: true")
step = append(step, " cache: false") // Disable caching to prevent cache poisoning in agentic workflows
// Add any extra fields from user's setup step (sorted for stable output)
Copy link

Copilot AI Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Go go-version-file special-case bypasses the normal runtime.ExtraWithFields + req.ExtraFields merge logic and hardcodes cache: false. This duplicates behavior from the general path and can drift if more default ExtraWithFields are added for Go later (or if a caller ever sets req.ExtraFields["cache"], it could produce a duplicate YAML key). Consider reusing the same merge/sort logic in this branch: emit go-version-file first, then append merged extra fields (with user fields overriding runtime defaults).

See below for a potential fix:


		// Merge runtime default extra fields with user-provided ones, then disable cache.
		// This mirrors the general extra-field handling while ensuring cache is always false.
		extraFields := maps.Clone(runtime.ExtraWithFields)
		for key, value := range req.ExtraFields {
			extraFields[key] = value
		}
		// Disable caching to prevent cache poisoning in agentic workflows.
		extraFields["cache"] = false

		// Emit merged extra fields (sorted for stable output).
		var extraKeys []string
		for key := range extraFields {
			extraKeys = append(extraKeys, key)
		}
		sort.Strings(extraKeys)
		for _, key := range extraKeys {
			valueStr := formatYAMLValue(extraFields[key])

Copilot uses AI. Check for mistakes.
@pelikhan pelikhan merged commit 1574548 into main Mar 6, 2026
53 checks passed
@pelikhan pelikhan deleted the copilot/emit-readonly-setup-actions branch March 6, 2026 17:18
github-actions bot pushed a commit that referenced this pull request Mar 6, 2026
@github-actions
refactor: use ExtraWithFields merge in Go go-mod-file setup path
56f0379 
The GoModFile code path in generateSetupStep was hardcoding
'cache: false' independently, while the non-GoModFile path was
already using the runtime.ExtraWithFields merge to apply the
same setting (added in #19865).

Unify both paths to use the same ExtraWithFields merge logic,
so the GoModFile path consistently picks up all runtime-level
'with' fields rather than only user-specified ExtraFields.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions github-actions bot mentioned this pull request Mar 6, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@pelikhan pelikhan pelikhan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pelikhan