Stop cache poisoning in GitHub Actions with read-only untrusted triggers
GitHub Actions now gives read-only cache tokens to low-trust default-branch workflow triggers, reducing cache-poisoning paths from pull_request_target, issue_comment, and workflow_run.
GitHub Actions now issues read-only cache tokens for low-trust workflow events that run against the default branch cache scope. Confidence level: confirmed. The change targets cache-poisoning paths where externally influenced workflow code could write cache entries that later trusted workflows restore.
What changed
GitHub says Actions now applies read-only cache access when an untrusted event can be triggered by someone without write permissions and the workflow uses the shared default-branch SHA cache scope. Examples named by GitHub include pull_request_target, issue_comment, and workflow_run cascades from fork pull requests.
Trusted default-branch triggers still keep read-write cache access. GitHub lists push, schedule, workflow_dispatch, repository_dispatch, delete, registry_package, and page_build among the common triggers that can continue writing cache entries.
| Trigger or context | Cache behavior after the change | Why it matters | What to check |
|---|---|---|---|
pull_request_target on default-branch scope | Read-only cache token | Reduces cache poisoning from externally influenced inputs | Replace cache saves with restore-only usage |
issue_comment on default-branch scope | Read-only cache token | Comments can be initiated by low-trust actors | Watch for cache-save warnings |
workflow_run from fork PR cascades | Read-only cache token | Prevents lower-trust runs from seeding trusted caches | Split trusted cache warming into a separate workflow |
push and schedule | Read-write cache access remains | Trusted branch maintenance still warms caches | Keep these workflows hardened |
Why this is early
This is an official GitHub platform change, not an early rumor. It is early because many teams will only notice it when an actions/cache save starts logging warnings while the job continues. The primary source is GitHub's June 26, 2026 changelog, and the GitHub Actions dependency-caching docs now include a dedicated section on low-trust workflow triggers.
GitHub's secure-use reference provides the broader reason this matters: privileged triggers such as pull_request_target and workflow_run can create serious risk when they interact with untrusted code or artifacts.
Key takeaways
- Low-trust default-branch workflow contexts can restore caches but cannot create or overwrite them.
- Cache-save attempts in restricted runs fail as warnings; the job continues.
- Trusted cache warming should move to events such as
pushwhen performance still matters. - The
pull_requestevent is not affected in the same way because its caches are scoped to the merge ref. - The change ships to both GitHub.com and GitHub with Data Residency.
Availability and access
No manual opt-in is described in the changelog. GitHub frames this as a platform behavior change for Actions cache tokens. Teams using actions/cache should review workflows that combine default-branch cache scope with low-trust events, especially public repositories and repositories accepting fork pull requests.
The immediate symptom is a warning when a restricted workflow tries to save a cache. Restores continue to work, so many builds will still pass. That makes this a good week to search logs and workflow files rather than waiting for a slow CI complaint.
Practical LinkLoot angle
This is a small security change with a direct maintenance task: separate cache creation from cache restoration. Keep cache saves in trusted workflows, then let low-trust workflows restore those entries without write access. That preserves most speed benefits while removing a common escalation path.
For teams running AI coding agents or external contributors through CI, the same principle applies: do not let untrusted code write artifacts, caches, or files that a later privileged workflow will execute. Pair this review with LinkLoot's AI workflow automation guide if agents trigger or modify CI pipelines.
What to verify before you act
- Search for
pull_request_target,issue_comment, andworkflow_runworkflows that callactions/cache/saveoractions/cache. - Check recent workflow logs for cache-save warnings after June 26, 2026.
- Move cache writes to a trusted
pushor scheduled cache-warming workflow where possible. - Confirm that no secrets, tokens, or credentials are stored in cached paths.
- Review
GITHUB_TOKENpermissions and untrusted checkout behavior in privileged workflows.
Source check
Confirmed by:
- GitHub's changelog says Actions now issues read-only cache tokens for untrusted default-branch cache contexts.
- GitHub's dependency-caching documentation explains cache access for low-trust workflow triggers and cache-poisoning risk.
- GitHub's secure-use reference documents the risks around privileged triggers, untrusted checkout, secrets, and workflow hardening.
Early signal / context:
- This item came from the official GitHub Changelog feed. No Product Hunt, deal page, newsletter, or social-only source was used.
Low-trust workflow events that use the default-branch cache scope now get read-only cache access, so they can restore caches but cannot overwrite them.