Merge d722552897 into b45623637f

Document path behaviour and access restrictions
Thanks to this comment which saved me some headache: https://github.com/actions/cache/issues/1491#issuecomment-2450718907 related to #1561. related to #1491. related to #1426.
2026-06-14 17:04:10 +08:00 · 2026-01-29 11:46:47 +01:00 · 2025-03-07 11:04:57 +01:00
4 changed files with 11 additions and 149 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -20,7 +20,7 @@ jobs:

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4
+      uses: github/codeql-action/init@v3
      # Override language selection by uncommenting this and choosing your languages
      # with:
      #   languages: go, javascript, csharp, python, cpp, java, ruby
@@ -28,7 +28,7 @@ jobs:
    # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
    # If this step fails, then you should remove it and run the build manually (see below).
    - name: Autobuild
-      uses: github/codeql-action/autobuild@v4
+      uses: github/codeql-action/autobuild@v3

    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -42,4 +42,4 @@ jobs:
    #     make release

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4
+      uses: github/codeql-action/analyze@v3
--- a/.github/workflows/workflow.yml
+++ b/.github/workflows/workflow.yml
@@ -90,86 +90,15 @@ jobs:
    runs-on: ubuntu-latest
    container:
      image: ubuntu:latest
-      options: --cap-add=NET_ADMIN
+      options: --dns 127.0.0.1
    services:
      squid-proxy:
        image: ubuntu/squid:latest
        ports:
          - 3128:3128
    env:
-      http_proxy: http://squid-proxy:3128
      https_proxy: http://squid-proxy:3128
    steps:
-    - name: Wait for proxy to be ready
-      shell: bash
-      run: |
-        echo "Waiting for squid proxy to be ready..."
-        echo "Resolving squid-proxy hostname:"
-        getent hosts squid-proxy || echo "DNS resolution failed"
-        for i in $(seq 1 30); do
-          if (echo > /dev/tcp/squid-proxy/3128) 2>/dev/null; then
-            echo "Proxy is ready!"
-            exit 0
-          fi
-          echo "Attempt $i: Proxy not ready, waiting..."
-          sleep 2
-        done
-        echo "Proxy failed to become ready"
-        exit 1
-      env:
-        http_proxy: ""
-        https_proxy: ""
-    - name: Install dependencies
-      run: |
-        apt-get update
-        apt-get install -y iptables curl
-    - name: Verify proxy is working
-      run: |
-        echo "Testing proxy connectivity..."
-        curl -s -o /dev/null -w "%{http_code}" --proxy http://squid-proxy:3128 http://github.com || true
-        echo "Proxy verification complete"
-    - name: Block direct traffic (enforce proxy usage)
-      run: |
-        # Get the squid-proxy container IP
-        PROXY_IP=$(getent hosts squid-proxy | awk '{ print $1 }')
-        echo "Proxy IP: $PROXY_IP"
-        
-        # Allow loopback traffic
-        iptables -A OUTPUT -o lo -j ACCEPT
-        
-        # Allow traffic to the proxy container
-        iptables -A OUTPUT -d $PROXY_IP -j ACCEPT
-        
-        # Allow established connections
-        iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-        
-        # Allow DNS (needed for initial resolution)
-        iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
-        iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
-        
-        # Block all other outbound traffic (HTTP/HTTPS)
-        iptables -A OUTPUT -p tcp --dport 80 -j REJECT
-        iptables -A OUTPUT -p tcp --dport 443 -j REJECT
-        
-        # Log the iptables rules for debugging
-        iptables -L -v -n
-    - name: Verify direct HTTPS is blocked
-      run: |
-        echo "Testing that direct HTTPS requests fail..."
-        if curl --noproxy '*' -s --connect-timeout 5 https://github.com > /dev/null 2>&1; then
-          echo "ERROR: Direct HTTPS request succeeded - blocking is not working!"
-          exit 1
-        else
-          echo "SUCCESS: Direct HTTPS request was blocked as expected"
-        fi
-        
-        echo "Testing that HTTPS through proxy succeeds..."
-        if curl --proxy http://squid-proxy:3128 -s --connect-timeout 10 https://github.com > /dev/null 2>&1; then
-          echo "SUCCESS: HTTPS request through proxy succeeded"
-        else
-          echo "ERROR: HTTPS request through proxy failed!"
-          exit 1
-        fi
    - name: Checkout
      uses: actions/checkout@v5
    - name: Generate files
@@ -185,86 +114,15 @@ jobs:
    runs-on: ubuntu-latest
    container:
      image: ubuntu:latest
-      options: --cap-add=NET_ADMIN
+      options: --dns 127.0.0.1
    services:
      squid-proxy:
        image: ubuntu/squid:latest
        ports:
          - 3128:3128
    env:
-      http_proxy: http://squid-proxy:3128
      https_proxy: http://squid-proxy:3128
    steps:
-    - name: Wait for proxy to be ready
-      shell: bash
-      run: |
-        echo "Waiting for squid proxy to be ready..."
-        echo "Resolving squid-proxy hostname:"
-        getent hosts squid-proxy || echo "DNS resolution failed"
-        for i in $(seq 1 30); do
-          if (echo > /dev/tcp/squid-proxy/3128) 2>/dev/null; then
-            echo "Proxy is ready!"
-            exit 0
-          fi
-          echo "Attempt $i: Proxy not ready, waiting..."
-          sleep 2
-        done
-        echo "Proxy failed to become ready"
-        exit 1
-      env:
-        http_proxy: ""
-        https_proxy: ""
-    - name: Install dependencies
-      run: |
-        apt-get update
-        apt-get install -y iptables curl
-    - name: Verify proxy is working
-      run: |
-        echo "Testing proxy connectivity..."
-        curl -s -o /dev/null -w "%{http_code}" --proxy http://squid-proxy:3128 http://github.com || true
-        echo "Proxy verification complete"
-    - name: Block direct traffic (enforce proxy usage)
-      run: |
-        # Get the squid-proxy container IP
-        PROXY_IP=$(getent hosts squid-proxy | awk '{ print $1 }')
-        echo "Proxy IP: $PROXY_IP"
-        
-        # Allow loopback traffic
-        iptables -A OUTPUT -o lo -j ACCEPT
-        
-        # Allow traffic to the proxy container
-        iptables -A OUTPUT -d $PROXY_IP -j ACCEPT
-        
-        # Allow established connections
-        iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-        
-        # Allow DNS (needed for initial resolution)
-        iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
-        iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
-        
-        # Block all other outbound traffic (HTTP/HTTPS)
-        iptables -A OUTPUT -p tcp --dport 80 -j REJECT
-        iptables -A OUTPUT -p tcp --dport 443 -j REJECT
-        
-        # Log the iptables rules for debugging
-        iptables -L -v -n
-    - name: Verify direct HTTPS is blocked
-      run: |
-        echo "Testing that direct HTTPS requests fail..."
-        if curl --noproxy '*' -s --connect-timeout 5 https://github.com > /dev/null 2>&1; then
-          echo "ERROR: Direct HTTPS request succeeded - blocking is not working!"
-          exit 1
-        else
-          echo "SUCCESS: Direct HTTPS request was blocked as expected"
-        fi
-        
-        echo "Testing that HTTPS through proxy succeeds..."
-        if curl --proxy http://squid-proxy:3128 -s --connect-timeout 10 https://github.com > /dev/null 2>&1; then
-          echo "SUCCESS: HTTPS request through proxy succeeded"
-        else
-          echo "ERROR: HTTPS request through proxy failed!"
-          exit 1
-        fi
    - name: Checkout
      uses: actions/checkout@v5
    - name: Restore cache
--- a/caching-strategies.md
+++ b/caching-strategies.md
@@ -165,6 +165,10 @@ steps:
    run: /publish.sh
 ```

+> [!IMPORTANT]
+> 
+> The `path` must match on both the centralized job and the target job, otherwise there will be no cache-hit whatsoever. Also take notes of the [restrictions for accessing caches across workflows](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache).  
+
 ### Failing/Exiting the workflow if cache with exact key is not found

 You can use the output of this action to exit the workflow on cache miss. This way you can restrict your workflow to only initiate the build when `cache-hit` occurs, in other words, cache with exact key is found.
--- a/examples.md
+++ b/examples.md
@@ -49,7 +49,7 @@
  with:
    path: |
      ~/.bun/install/cache
-    key: ${{ runner.os }}-bun-${{ hashFiles('**/bun.lock') }}
+    key: ${{ runner.os }}-bun-${{ hashFiles('**/bun.lockb') }}
 ```

 ### Windows
@@ -59,7 +59,7 @@
  with:
    path: |
      ~\.bun
-    key: ${{ runner.os }}-bun-${{ hashFiles('**/bun.lock') }}
+    key: ${{ runner.os }}-bun-${{ hashFiles('**/bun.lockb') }}
 ```

 ## C# - NuGet
Author	SHA1	Message	Date
Matthias Benkort	45aedc9961	Merge `d722552897` into `b45623637f`	2026-01-29 11:46:47 +01:00
Matthias Benkort	d722552897	Document `path` behaviour and access restrictions Thanks to this comment which saved me some headache: https://github.com/actions/cache/issues/1491#issuecomment-2450718907 related to #1561. related to #1491. related to #1426.	2025-03-07 11:04:57 +01:00