Disable uv cache to prevent cache poisoning

bschwedler · bschwedler · commit 43329836511e · 2026-04-10T16:05:38.000-05:00
A malicious PR could poison the uv cache and affect
subsequent runs. Disable caching on both the test and
release jobs — the ~10s install time is not worth the
attack surface.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -85,6 +85,7 @@ jobs:
         uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78  # v7.6.0
         with:
           python-version-file: "posit-bakery/pyproject.toml"
+          enable-cache: false
 
       - name: Install dependencies
         working-directory: ./posit-bakery
@@ -213,6 +214,7 @@ jobs:
         uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78  # v7.6.0
         with:
           python-version-file: "posit-bakery/pyproject.toml"
+          enable-cache: false
 
       - name: Install dependencies
         working-directory: ./posit-bakery
diff --git a/.github/workflows/issues.yml b/.github/workflows/issues.yml
@@ -28,7 +28,7 @@ jobs:
           project-url: https://github.com/orgs/posit-dev/projects/17
 
       - name: Add Default Labels
-        uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf  # v1.1.0
+        uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf  # v1.1.3
         with:
           github_token: ${{ steps.app-token.outputs.token }}
           labels: |
