Avoid caching by default (#1359)

GitHub Actions caches are shared across branches and workflows within a
repository, which makes them susceptible to cache-poisoning attacks.
This has been demonstrated in practice by tools such as
[Cacheract](https://github.com/AdnaneKhan/Cacheract) and documented in
["The Monsters in Your Build
Cache"](https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/).
The trust boundary between cache writers and cache readers is not
well-defined, so the safest default is to not cache at all. Users who
have evaluated the trade-off for their threat model can still opt in
with `cache: true` or `cache: auto`.

To alleviate the performance impact this would mean for the
`build-installers` flavor, we changed the git-sdk-* `ci-artifacts`
workflows to provide pre-built `.tar.zst` archives. On runner images
whose `tar.exe` supports Zstandard (Windows Server 2025 /
`windows-latest`), the `build-installers` flavor is now served directly
from these CI artifacts. Older images such as `windows-2022` fall back
to the existing git-clone-and-build approach.

Author: dscho

__mocks__/@octokit/rest.js

@@ -35,6 +35,24 @@ module.exports = {
                         }
                     }
                 }),
+                getReleaseByTag: jest.fn().mockResolvedValue({
+                    status: 200,
+                    data: {
+                        html_url: 'https://github.com/git-for-windows/git-sdk-64/releases/tag/ci-artifacts',
+                        assets: [
+                            {
+                                name: 'git-sdk-x86_64-minimal.tar.gz',
+                                updated_at: '2025-08-12T12:00:00Z',
+                                browser_download_url: 'https://example.com/git-sdk-x86_64-minimal.tar.gz'
+                            },
+                            {
+                                name: 'git-sdk-x86_64-build-installers.tar.zst',
+                                updated_at: '2025-08-12T12:00:00Z',
+                                browser_download_url: 'https://example.com/git-sdk-x86_64-build-installers.tar.zst'
+                            }
+                        ]
+                    }
+                }),
                 listReleases: jest.fn().mockResolvedValue({
                     data: [
                         {

action.yml

@@ -31,8 +31,14 @@ inputs:
     default: '250'
   cache:
     required: false
-    description: 'Use @actions/cache to accelerate this Action'
-    default: 'auto'
+    description: >
+      Use @actions/cache to accelerate this Action.
+      Note: GitHub Actions caches are shared across branches and
+      workflows within a repository, which makes them susceptible
+      to cache-poisoning attacks (see e.g. Cacheract,
+      https://github.com/AdnaneKhan/Cacheract). Caching is
+      therefore disabled by default.
+    default: 'false'
   github-token:
     description: >
       Personal access token (PAT) used to call into GitHub's REST API.

dist/index.js

@@ -2,6 +2,7 @@ import * as core from '@actions/core'
 import {mkdirp} from './src/downloader'
 import {restoreCache, saveCache} from '@actions/cache'
 import process from 'process'
+import * as os from 'os'
 import {spawnSync} from 'child_process'
 import {
   getArtifactMetadata,
@@ -45,9 +46,13 @@ async function run(): Promise<void> {
     const verbose = core.getInput('verbose')
     const msysMode = core.getInput('msys') === 'true'
 
+    // Windows Server 2025 / Windows 11 24H2 (build 26100+) ships a tar.exe
+    // that handles Zstandard natively; older versions do not.
+    const canExtractZstd = parseInt(os.release().split('.')[2]) >= 26100
+
     const {artifactName, download, id} =
-      flavor === 'minimal'
-        ? await getViaCIArtifacts(architecture, githubToken)
+      flavor === 'minimal' || (flavor === 'build-installers' && canExtractZstd)
+        ? await getViaCIArtifacts(flavor, architecture, githubToken)
         : await getViaGit(flavor, architecture, githubToken)
     const outputDirectory =
       core.getInput('path') || `${getDriveLetterPrefix()}${artifactName}`

dist/index.js.map

@@ -11,6 +11,7 @@ async function sleep(milliseconds: number): Promise<void> {
 }
 
 export async function getViaCIArtifacts(
+  flavor: string,
   architecture: string,
   githubToken?: string
 ): Promise<{
@@ -23,7 +24,7 @@ export async function getViaCIArtifacts(
 }> {
   const owner = 'git-for-windows'
 
-  const {repo, artifactName} = getArtifactMetadata('minimal', architecture)
+  const {repo, artifactName} = getArtifactMetadata(flavor, architecture)
 
   const octokit = githubToken ? new Octokit({auth: githubToken}) : new Octokit()
 
@@ -52,18 +53,22 @@ export async function getViaCIArtifacts(
       core.info(
         `Found ci-artifacts release: ${ciArtifactsResponse.data.html_url}`
       )
-      const tarGzArtifact = ciArtifactsResponse.data.assets.find(asset =>
-        asset.name.endsWith('.tar.gz')
+      const assetName =
+        flavor === 'build-installers'
+          ? `git-sdk-${architecture}-build-installers.tar.zst`
+          : `git-sdk-${architecture}-minimal.tar.gz`
+      const artifact = ciArtifactsResponse.data.assets.find(
+        asset => asset.name === assetName
       )
 
-      if (!tarGzArtifact) {
+      if (!artifact) {
         error = new Error(
-          `Failed to find a .tar.gz artifact in the ci-artifacts release of the ${owner}/${repo} repo`
+          `Failed to find ${assetName} in the ci-artifacts release of the ${owner}/${repo} repo`
         )
         continue
       }
 
-      return tarGzArtifact
+      return artifact
     }
     throw error
   })()