Skip to content

chore(ci): canary/trusted publishing shouldn't use any caching#11795

Merged
slorber merged 1 commit intomainfrom
slorber/publish-workflow-no-cache
Mar 11, 2026
Merged

chore(ci): canary/trusted publishing shouldn't use any caching#11795
slorber merged 1 commit intomainfrom
slorber/publish-workflow-no-cache

Conversation

@slorber
Copy link
Copy Markdown
Collaborator

@slorber slorber commented Mar 11, 2026

Motivation

We have recently set up Trusted Publishing for canary releases (#11712), and would like our stable releases to use it soon, too.

This workflow is quite sensitive since it's the only one that can publish to npm.

However, using a shared GitHub Actions cache in a sensitive, high-privileged workflow is risky, but this is what we do today by using setup-node with cache: yarn.

https://github.com/facebook/docusaurus/actions/caches

CleanShot 2026-03-11 at 16 51 18@2x

Another workflow could be compromised and write something harmful to that cache, that later gets restored/run by the publish workflow.

We have seen popular npm packages become compromised that way, see actions/setup-node#1445 (comment)

For that reason, sensitive workflows should not use any shared cache.

Test Plan

CI

@slorber slorber requested a review from Josh-Cena as a code owner March 11, 2026 15:53
@slorber slorber added the pr: maintenance This PR does not produce any behavior differences to end users when upgrading. label Mar 11, 2026
@meta-cla meta-cla bot added the CLA Signed Signed Facebook CLA label Mar 11, 2026
@netlify
Copy link
Copy Markdown

netlify bot commented Mar 11, 2026

[V2]

Name Link
🔨 Latest commit c63f5c5
🔍 Latest deploy log https://app.netlify.com/projects/docusaurus-2/deploys/69b18ff89144a30008768619
😎 Deploy Preview https://deploy-preview-11795--docusaurus-2.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 11, 2026

⚡️ Lighthouse report for the deploy preview of this PR

URL Performance Accessibility Best Practices SEO Report
/ 🔴 41 🟢 98 🟢 100 🟢 100 Report
/docs/installation 🔴 49 🟢 97 🟢 100 🟢 100 Report
/docs/category/getting-started 🟠 71 🟢 100 🟢 100 🟠 86 Report
/blog 🟠 66 🟢 96 🟢 100 🟠 86 Report
/blog/preparing-your-site-for-docusaurus-v3 🟠 66 🟢 92 🟢 100 🟢 100 Report
/blog/tags/release 🟠 68 🟢 96 🟢 100 🟠 86 Report
/blog/tags 🟠 69 🟢 100 🟢 100 🟠 86 Report

@slorber slorber merged commit f60e255 into main Mar 11, 2026
15 checks passed
@slorber slorber deleted the slorber/publish-workflow-no-cache branch March 11, 2026 16:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Josh-Cena Josh-Cena Awaiting requested review from Josh-Cena Josh-Cena is a code owner

Assignees

No one assigned

Labels

CLA Signed Signed Facebook CLA pr: maintenance This PR does not produce any behavior differences to end users when upgrading.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@slorber