diff --git a/.github/actions/install-dependencies/action.yml b/.github/actions/install-dependencies/action.yml index f7ddb84f6e..20e1deb62f 100644 --- a/.github/actions/install-dependencies/action.yml +++ b/.github/actions/install-dependencies/action.yml @@ -13,19 +13,30 @@ inputs: description: the api token for connecting to the turbo remote cache turbo-signature: description: the cache signature key for connecting to the turbo remote cache + disable-cache: + description: when "true", skip the pnpm store cache on setup-node (defense in depth for release builds) + default: "false" runs: using: "composite" steps: - name: Install pnpm uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4 - - name: Install Node.js ${{ inputs.node-version }} + - name: Install Node.js ${{ inputs.node-version }} (with pnpm cache) + if: inputs.disable-cache != 'true' uses: actions/setup-node@v4 with: node-version: ${{ inputs.node-version }} cache: "pnpm" registry-url: "https://registry.npmjs.org" + - name: Install Node.js ${{ inputs.node-version }} (without pnpm cache) + if: inputs.disable-cache == 'true' + uses: actions/setup-node@v4 + with: + node-version: ${{ inputs.node-version }} + registry-url: "https://registry.npmjs.org" + # Enable node compile cache (effective for Node 22+) # See https://nodejs.org/docs/v24.11.1/api/module.html#module-compile-cache - name: Enable Node Compile Cache diff --git a/.github/workflows/changesets.yml b/.github/workflows/changesets.yml index 9bd8685188..24487a4200 100644 --- a/.github/workflows/changesets.yml +++ b/.github/workflows/changesets.yml @@ -25,13 +25,14 @@ jobs: fetch-depth: 500 - name: Install Dependencies + # Defense in depth: do not pass Turbo remote cache credentials and + # disable the pnpm store cache so release builds always resolve + # packages from the registry and rebuild every task from source, + # rather than restoring from a (potentially poisoned) cache. uses: ./.github/actions/install-dependencies with: node-version: 24 - turbo-api: ${{ secrets.TURBO_API }} - turbo-team: ${{ secrets.TURBO_TEAM }} - turbo-token: ${{ secrets.TURBO_TOKEN }} - turbo-signature: ${{ secrets.TURBO_REMOTE_CACHE_SIGNATURE_KEY }} + disable-cache: "true" - name: Check npm version run: node -r esbuild-register tools/deployments/check-npm-version.ts diff --git a/.github/workflows/hotfix-release.yml b/.github/workflows/hotfix-release.yml index 8808e4b2c7..3a3ae45de1 100644 --- a/.github/workflows/hotfix-release.yml +++ b/.github/workflows/hotfix-release.yml @@ -50,12 +50,13 @@ jobs: GH_TOKEN: ${{ secrets.GH_ACCESS_TOKEN }} - name: Install Dependencies + # Defense in depth: do not pass Turbo remote cache credentials and + # disable the pnpm store cache so release builds always resolve + # packages from the registry and rebuild every task from source, + # rather than restoring from a (potentially poisoned) cache. uses: ./.github/actions/install-dependencies with: - turbo-api: ${{ secrets.TURBO_API }} - turbo-team: ${{ secrets.TURBO_TEAM }} - turbo-token: ${{ secrets.TURBO_TOKEN }} - turbo-signature: ${{ secrets.TURBO_REMOTE_CACHE_SIGNATURE_KEY }} + disable-cache: "true" - name: Build all packages run: pnpm run build diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml index 838f1e74af..0449d0cb33 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/prerelease.yml @@ -28,12 +28,13 @@ jobs: fetch-depth: 1 - name: Install Dependencies + # Defense in depth: do not pass Turbo remote cache credentials and + # disable the pnpm store cache so release builds always resolve + # packages from the registry and rebuild every task from source, + # rather than restoring from a (potentially poisoned) cache. uses: ./.github/actions/install-dependencies with: - turbo-api: ${{ secrets.TURBO_API }} - turbo-team: ${{ secrets.TURBO_TEAM }} - turbo-token: ${{ secrets.TURBO_TOKEN }} - turbo-signature: ${{ secrets.TURBO_REMOTE_CACHE_SIGNATURE_KEY }} + disable-cache: "true" - run: echo ${{ github.head_ref }}