[pull] main from cloudflare:main

.github/actions/install-dependencies/action.yml

@@ -13,19 +13,30 @@ inputs:
     description: the api token for connecting to the turbo remote cache
   turbo-signature:
     description: the cache signature key for connecting to the turbo remote cache
+  disable-cache:
+    description: when "true", skip the pnpm store cache on setup-node (defense in depth for release builds)
+    default: "false"
 runs:
   using: "composite"
   steps:
     - name: Install pnpm
       uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
 
-    - name: Install Node.js ${{ inputs.node-version }}
+    - name: Install Node.js ${{ inputs.node-version }} (with pnpm cache)
+      if: inputs.disable-cache != 'true'
       uses: actions/setup-node@v4
       with:
         node-version: ${{ inputs.node-version }}
         cache: "pnpm"
         registry-url: "https://registry.npmjs.org"
 
+    - name: Install Node.js ${{ inputs.node-version }} (without pnpm cache)
+      if: inputs.disable-cache == 'true'
+      uses: actions/setup-node@v4
+      with:
+        node-version: ${{ inputs.node-version }}
+        registry-url: "https://registry.npmjs.org"
+
     # Enable node compile cache (effective for Node 22+)
     # See https://nodejs.org/docs/v24.11.1/api/module.html#module-compile-cache
     - name: Enable Node Compile Cache

.github/workflows/changesets.yml

@@ -25,13 +25,14 @@ jobs:
           fetch-depth: 500
 
       - name: Install Dependencies
+        # Defense in depth: do not pass Turbo remote cache credentials and
+        # disable the pnpm store cache so release builds always resolve
+        # packages from the registry and rebuild every task from source,
+        # rather than restoring from a (potentially poisoned) cache.
         uses: ./.github/actions/install-dependencies
         with:
           node-version: 24
-          turbo-api: ${{ secrets.TURBO_API }}
-          turbo-team: ${{ secrets.TURBO_TEAM }}
-          turbo-token: ${{ secrets.TURBO_TOKEN }}
-          turbo-signature: ${{ secrets.TURBO_REMOTE_CACHE_SIGNATURE_KEY }}
+          disable-cache: "true"
 
       - name: Check npm version
         run: node -r esbuild-register tools/deployments/check-npm-version.ts

.github/workflows/hotfix-release.yml

@@ -50,12 +50,13 @@ jobs:
           GH_TOKEN: ${{ secrets.GH_ACCESS_TOKEN }}
 
       - name: Install Dependencies
+        # Defense in depth: do not pass Turbo remote cache credentials and
+        # disable the pnpm store cache so release builds always resolve
+        # packages from the registry and rebuild every task from source,
+        # rather than restoring from a (potentially poisoned) cache.
         uses: ./.github/actions/install-dependencies
         with:
-          turbo-api: ${{ secrets.TURBO_API }}
-          turbo-team: ${{ secrets.TURBO_TEAM }}
-          turbo-token: ${{ secrets.TURBO_TOKEN }}
-          turbo-signature: ${{ secrets.TURBO_REMOTE_CACHE_SIGNATURE_KEY }}
+          disable-cache: "true"
 
       - name: Build all packages
         run: pnpm run build

.github/workflows/prerelease.yml

@@ -28,12 +28,13 @@ jobs:
           fetch-depth: 1
 
       - name: Install Dependencies
+        # Defense in depth: do not pass Turbo remote cache credentials and
+        # disable the pnpm store cache so release builds always resolve
+        # packages from the registry and rebuild every task from source,
+        # rather than restoring from a (potentially poisoned) cache.
         uses: ./.github/actions/install-dependencies
         with:
-          turbo-api: ${{ secrets.TURBO_API }}
-          turbo-team: ${{ secrets.TURBO_TEAM }}
-          turbo-token: ${{ secrets.TURBO_TOKEN }}
-          turbo-signature: ${{ secrets.TURBO_REMOTE_CACHE_SIGNATURE_KEY }}
+          disable-cache: "true"
 
       - run: echo ${{ github.head_ref }}