Skip to content

[BUG]: uv cache poisoning result is flipped #1081

New issue
New issue
Closed
#1082
Closed
[BUG]: uv cache poisoning result is flipped#1081
#1082
Labels
bugSomething isn't working
@nijel

Description

@nijel
nijel
opened on Aug 14, 2025

Pre-submission checks

  • I am not filing a feature request. These should be filed via the feature request form instead.
  • I have looked through both the open and closed issues for a duplicate report.

zizmor version

1.12.0

Expected behavior

I have a release workflow that disables caching in astral-sh/setup-uv:

    - uses: astral-sh/setup-uv@d9e0f98d3fc6adb07d1e3d37f3043649ddad06a1 # v6.5.0
      with:
        enable-cache: false

As such, it should not be vulnerable to cache poisioning because it disables cache usage.

Actual behavior

zizmor complains that this is vulnerable to cache poisioning:

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> .github/workflows/setup.yml:7:1
    |
  7 | / on:
  8 | |   push:
...   |
 13 | |     - weblate-*
 14 | |   pull_request:
    | |_______________^ generally used when publishing artifacts generated at runtime
 15 |
...
171 |       - uses: astral-sh/setup-uv@d9e0f98d3fc6adb07d1e3d37f3043649ddad06a1 # v6.5.0
172 | /       with:
173 | |         enable-cache: false
    | |___________________________^ opt-in for caching here
    |
    = note: audit confidence → Low
    = note: this finding has an auto-fix

With auto-fix it actually turns on the caching:

diff --git .github/workflows/setup.yml .github/workflows/setup.yml
index 8c14edef56..b791929c0e 100644
--- .github/workflows/setup.yml
+++ .github/workflows/setup.yml
@@ -34,7 +34,7 @@ jobs:
         persist-credentials: false
     - uses: astral-sh/setup-uv@d9e0f98d3fc6adb07d1e3d37f3043649ddad06a1 # v6.5.0
       with:
-        enable-cache: false
+        enable-cache: true
     - name: Setup Python
       uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
       with:
@@ -170,7 +170,7 @@ jobs:
       run: find dist -mindepth 1 -not -name '*.tar.gz' -not -name '*.whl' -delete
     - uses: astral-sh/setup-uv@d9e0f98d3fc6adb07d1e3d37f3043649ddad06a1 # v6.5.0
       with:
-        enable-cache: false
+        enable-cache: true
     - run: uv publish --trusted-publishing always
 
   publish_github:

Reproduction steps

  1. Take this workflow https://github.com/WeblateOrg/weblate/blob/6d869679264dd4e42ad31125b4e9cf5d3de191fd/.github/workflows/setup.yml#L35
  2. Run zizmor .github/workflows/setup.yml

Logs

Additional context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions