From c948a2c1632f10ed1380ebe1c6ee172ff457e92a Mon Sep 17 00:00:00 2001
From: Salman Chishti <13schishti@gmail.com>
Date: Mon, 9 Mar 2026 05:35:59 -0700
Subject: [PATCH] feat: add cache-write input for read-only cache mode

Add a 'cache-write' input (default: true) that controls whether the cache
is saved at the end of the workflow. When set to 'false', the action will
restore cached dependencies but skip saving, providing a read-only cache
mode.

This is useful for preventing cache poisoning attacks from untrusted PR
builds while still benefiting from cached dependencies.
---
 action.yml               | 3 +++
 dist/cache-save/index.js | 5 +++++
 src/cache-save.ts        | 6 ++++++
 3 files changed, 14 insertions(+)

diff --git a/action.yml b/action.yml
index c5726e1..262bc91 100644
--- a/action.yml
+++ b/action.yml
@@ -17,6 +17,9 @@ inputs:
     default: true
   cache-dependency-path:
     description: 'Used to specify the path to a dependency file (e.g., go.mod, go.sum)'
+  cache-write:
+    description: 'Whether to save the cache at the end of the workflow. Set to false for cache read-only mode, useful for preventing cache poisoning from untrusted PR builds.'
+    default: true
   architecture:
     description: 'Target architecture for Go to use. Examples: x86, x64. Will use system architecture by default.'
 outputs:
diff --git a/dist/cache-save/index.js b/dist/cache-save/index.js
index 3cef7e1..5fb526d 100644
--- a/dist/cache-save/index.js
+++ b/dist/cache-save/index.js
@@ -71548,6 +71548,11 @@ process.on('uncaughtException', e => {
 function run(earlyExit) {
     return __awaiter(this, void 0, void 0, function* () {
         try {
+            const cacheWriteEnabled = core.getInput('cache-write');
+            if (cacheWriteEnabled === 'false') {
+                core.info('Cache write is disabled (read-only mode). Skipping cache save.');
+                return;
+            }
             const cacheInput = core.getBooleanInput('cache');
             if (cacheInput) {
                 yield cachePackages();
diff --git a/src/cache-save.ts b/src/cache-save.ts
index f873527..c7bfb95 100644
--- a/src/cache-save.ts
+++ b/src/cache-save.ts
@@ -18,6 +18,12 @@ process.on('uncaughtException', e => {
 
 export async function run(earlyExit?: boolean) {
   try {
+    const cacheWriteEnabled = core.getInput('cache-write');
+    if (cacheWriteEnabled === 'false') {
+      core.info('Cache write is disabled (read-only mode). Skipping cache save.');
+      return;
+    }
+
     const cacheInput = core.getBooleanInput('cache');
     if (cacheInput) {
       await cachePackages();