Merge pull request #1775 from jasongin/readonly-cache-v5

Bump @actions/cache to v5.1.0 - handle read-only cache access

.licenses/npm/@actions/cache.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: "@actions/cache"
-version: 5.0.5
+version: 5.1.0
 type: npm
 summary: Actions cache lib
 homepage: https://github.com/actions/toolkit/tree/main/packages/cache

.licenses/npm/@typespec/ts-http-runtime.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: "@typespec/ts-http-runtime"
-version: 0.3.2
+version: 0.3.5
 type: npm
 summary: Isomorphic client library for making HTTP requests in node.js and browser.
 homepage: https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/core/ts-http-runtime/

README.md

@@ -90,7 +90,6 @@ If you are using a `self-hosted` Windows runner, `GNU tar` and `zstd` are requir
 * `enableCrossOsArchive` - An optional boolean when enabled, allows Windows runners to save or restore caches that can be restored or saved respectively on other platforms. Default: `false`
 * `fail-on-cache-miss` - Fail the workflow if cache entry is not found. Default: `false`
 * `lookup-only` - If true, only checks if cache entry exists and skips download. Does not change save cache behavior. Default: `false`
-* `save-on-success` - If true, then the cache is written in the post action on success, or (if false) the cache will only be restored if available. Default: `true`
 
 #### Environment Variables
 
@@ -110,6 +109,14 @@ The cache is scoped to the key, [version](#cache-version), and branch. The defau
 
 See [Matching a cache key](https://help.github.com/en/actions/configuring-and-managing-workflows/caching-dependencies-to-speed-up-workflows#matching-a-cache-key) for more info.
 
+### Read-only access
+
+Some workflow runs only have read-only access to the cache. A common case is a workflow triggered by a pull request from a fork: such runs can **restore** existing caches but may not be permitted to **save** new ones.
+
+When the cache token is read-only, the save step does not fail the job. Instead, `@actions/cache` reports the denial once as a warning (for example, `Failed to save: ... cache write denied: ...`) and the step completes successfully without writing a cache entry. Restores in the same run continue to work as usual.
+
+> **Note** This applies to the action's normal save path as well as the standalone [Save action](./save/README.md). If you intentionally want a restore-only setup, see [Make cache read only / Reuse cache from centralized job](./caching-strategies.md#make-cache-read-only--reuse-cache-from-centralized-job).
+
 ### Example cache workflow
 
 #### Restoring and saving cache using a single action

RELEASES.md

@@ -25,6 +25,11 @@
 
 ## Changelog
 
+### 5.1.0
+
+- Bump `@actions/cache` to v5.1.0 to pick up [actions/toolkit#2435 Handle cache write error due to read-only token](https://github.com/actions/toolkit/pull/2435)
+- Switch redundant "Cache save failed" warning to debug log in save-only
+
 ### 5.0.4
 
 - Bump `minimatch` to v3.1.5 (fixes ReDoS via globstar patterns)

__tests__/saveOnly.test.ts

@@ -105,8 +105,10 @@ test("save with valid inputs uploads a cache", async () => {
     expect(failedMock).toHaveBeenCalledTimes(0);
 });
 
-test("save failing logs the warning message", async () => {
+test("save failing logs the debug message", async () => {
+    const debugMock = jest.spyOn(core, "debug");
     const warningMock = jest.spyOn(core, "warning");
+    const failedMock = jest.spyOn(core, "setFailed");
 
     const primaryKey = "Linux-node-bb828da54c148048dd17899ba9fda624811cfb43";
 
@@ -115,6 +117,9 @@ test("save failing logs the warning message", async () => {
     testUtils.setInput(Inputs.Path, inputPath);
     testUtils.setInput(Inputs.UploadChunkSize, "4000000");
 
+    // A read-only / write-denied save surfaces to the action as saveCache resolving
+    // to -1; the toolkit has already logged the underlying reason. The action
+    // must not fail the job or emit its own warning.
     const cacheId = -1;
     const saveCacheMock = jest
         .spyOn(cache, "saveCache")
@@ -134,6 +139,7 @@ test("save failing logs the warning message", async () => {
         false
     );
 
-    expect(warningMock).toHaveBeenCalledTimes(1);
+    expect(debugMock).toHaveBeenCalledWith("Cache was not saved.");
-    expect(warningMock).toHaveBeenCalledWith("Cache save failed.");
+    expect(warningMock).not.toHaveBeenCalled();
+    expect(failedMock).not.toHaveBeenCalled();
 });

action.yml

@@ -26,18 +26,13 @@ inputs:
     description: 'Check if a cache entry exists for the given input(s) (key, restore-keys) without downloading the cache'
     default: 'false'
     required: false
-  save-on-success:
-    description: 'Whether the cache is written in the post action on success or (if false) is only restored'
-    default: 'true'
-    required: false
   save-always:
     description: 'Run the post step to save the cache even if another step before fails'
     default: 'false'
     required: false
     deprecationMessage: |
       save-always does not work as intended and will be removed in a future release.
-      If you only want to control whether a new cache will be written use `save-on-success` instead.
+      A separate `actions/cache/restore` step should be used instead.
-      Otherwise a separate `actions/cache/restore` step should be used instead.
       See https://github.com/actions/cache/tree/main/save#always-save-cache for more details.
 outputs:
   cache-hit:
@@ -46,7 +41,7 @@ runs:
   using: 'node24'
   main: 'dist/restore/index.js'
   post: 'dist/save/index.js'
-  post-if: "success() && github.event.inputs.save-on-success"
+  post-if: "success()"
 branding:
   icon: 'archive'
   color: 'gray-dark'

package-lock.json

@@ -1,15 +1,15 @@
 {
   "name": "cache",
-  "version": "5.0.4",
+  "version": "5.1.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "cache",
-      "version": "5.0.4",
+      "version": "5.1.0",
       "license": "MIT",
       "dependencies": {
-        "@actions/cache": "^5.0.5",
+        "@actions/cache": "^5.1.0",
         "@actions/core": "^2.0.3",
         "@actions/exec": "^2.0.0",
         "@actions/io": "^2.0.0"
@@ -39,9 +39,9 @@
       }
     },
     "node_modules/@actions/cache": {
-      "version": "5.0.5",
+      "version": "5.1.0",
-      "resolved": "https://registry.npmjs.org/@actions/cache/-/cache-5.0.5.tgz",
+      "resolved": "https://registry.npmjs.org/@actions/cache/-/cache-5.1.0.tgz",
-      "integrity": "sha512-jiQSg0gfd+C2KPgcmdCOq7dCuCIQQWQ4b1YfGIRaaA9w7PJbRwTOcCz4LiFEUnqZGf0ha/8OKL3BeNwetHzYsQ==",
+      "integrity": "sha512-kTIj4YPrjjRPKSGlj7f8eq+Pijoy/SKBEbJcAwNsQTFGEF29NGqj1mqD02/PmhV6r4bRAixycexAWpmUJ2aCwg==",
       "license": "MIT",
       "dependencies": {
         "@actions/core": "^2.0.0",
@@ -1945,9 +1945,9 @@
       }
     },
     "node_modules/@typespec/ts-http-runtime": {
-      "version": "0.3.2",
+      "version": "0.3.5",
-      "resolved": "https://registry.npmjs.org/@typespec/ts-http-runtime/-/ts-http-runtime-0.3.2.tgz",
+      "resolved": "https://registry.npmjs.org/@typespec/ts-http-runtime/-/ts-http-runtime-0.3.5.tgz",
-      "integrity": "sha512-IlqQ/Gv22xUC1r/WQm4StLkYQmaaTsXAhUVsNE0+xiyf0yRFiH5++q78U3bw6bLKDCTmh0uqKB9eG9+Bt75Dkg==",
+      "integrity": "sha512-yURCknZhvywvQItHMMmFSo+fq5arCUIyz/CVk7jD89MSai7dkaX8ufjCWp3NttLojoTVbcE72ri+be/TnEbMHw==",
       "license": "MIT",
       "dependencies": {
         "http-proxy-agent": "^7.0.0",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "cache",
-  "version": "5.0.4",
+  "version": "5.1.0",
   "private": true,
   "description": "Cache dependencies and build outputs",
   "main": "dist/restore/index.js",
@@ -23,7 +23,7 @@
   "author": "GitHub",
   "license": "MIT",
   "dependencies": {
-    "@actions/cache": "^5.0.5",
+    "@actions/cache": "^5.1.0",
     "@actions/core": "^2.0.3",
     "@actions/exec": "^2.0.0",
     "@actions/io": "^2.0.0"

src/saveImpl.ts

@@ -84,7 +84,11 @@ export async function saveOnlyRun(
     try {
         const cacheId = await saveImpl(new NullStateProvider());
         if (cacheId === -1) {
-            core.warning(`Cache save failed.`);
+            // The toolkit's saveCache already logs the underlying reason at
+            // the appropriate severity (warning for most failures, info for
+            // benign concurrency races, error for 5xx). Avoid emitting a
+            // generic warning here that would duplicate or mask that signal.
+            core.debug(`Cache was not saved.`);
         }
     } catch (err) {
         console.error(err);