From 64ddbfea12d771317cbfdb80eada20b71d83f83c Mon Sep 17 00:00:00 2001
From: Daniel Hast <hast.daniel@protonmail.com>
Date: Mon, 1 Dec 2025 07:47:54 -0500
Subject: [PATCH] ci: disable caching for actions/setup-go

This mitigates a potential cache-poisoning attack. For details, see:
https://docs.zizmor.sh/audits/#cache-poisoning

Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
---
 .github/workflows/mac-pkg.yml              | 1 +
 .github/workflows/release-artifacts.yml    | 1 +
 .github/workflows/release.yml              | 3 +++
 .github/workflows/upload-win-installer.yml | 1 +
 4 files changed, 6 insertions(+)

diff --git a/.github/workflows/mac-pkg.yml b/.github/workflows/mac-pkg.yml
index 6ddc86ca8c..cd4d3ec5eb 100644
--- a/.github/workflows/mac-pkg.yml
+++ b/.github/workflows/mac-pkg.yml
@@ -111,6 +111,7 @@ jobs:
       uses: actions/setup-go@v6
       with:
         go-version: stable
+        cache: false
     - name: Create Keychain
       if: >-
         steps.check.outputs.buildamd == 'true' ||
diff --git a/.github/workflows/release-artifacts.yml b/.github/workflows/release-artifacts.yml
index bcedcda3b9..1d35e1a4fd 100644
--- a/.github/workflows/release-artifacts.yml
+++ b/.github/workflows/release-artifacts.yml
@@ -112,6 +112,7 @@ jobs:
         uses: actions/setup-go@v6
         with:
           go-version: stable
+          cache: false
 
       - name: Setup artifact directory
         if: >-
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ec39d1bbd2..4fe02410cc 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -77,6 +77,7 @@ jobs:
       uses: actions/setup-go@v6
       with:
         go-version: stable
+        cache: false
     - name: Set up pandoc
       run: |
           sudo apt-get install -y pandoc
@@ -115,6 +116,7 @@ jobs:
       uses: actions/setup-go@v6
       with:
         go-version: stable
+        cache: false
     - name: Create Keychain
       run: |
         echo $APPLICATION_CERTIFICATE | base64 --decode -o appcert.p12
@@ -175,6 +177,7 @@ jobs:
       uses: actions/setup-go@v6
       with:
         go-version: stable
+        cache: false
     - name: Set up WiX
       run: dotnet tool install --global wix
     - name: Setup Signature Tooling
diff --git a/.github/workflows/upload-win-installer.yml b/.github/workflows/upload-win-installer.yml
index 0788234f06..e6c135dfed 100644
--- a/.github/workflows/upload-win-installer.yml
+++ b/.github/workflows/upload-win-installer.yml
@@ -92,6 +92,7 @@ jobs:
       if: steps.check.outputs.already-exists != 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
       with:
         go-version: stable
+        cache: false
     - name: Set up WiX
       run: dotnet tool install --global wix
     - name: Setup Signature Tooling