From 0d729b3e2a2f6512cb86cb2505e0fa8bbbae15d1 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 8 Dec 2025 14:12:14 +0000
Subject: [PATCH 1/2] Initial plan


From 02fd43999ec82aca65dff611afd1078bc0ffb0c6 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 8 Dec 2025 14:18:58 +0000
Subject: [PATCH 2/2] Fix cache poisoning vulnerability in release workflow by
 disabling Go module caching

Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com>
---
 .github/workflows/release.lock.yml | 4 ++--
 .github/workflows/release.md       | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml
index a065fa06d2c..66ca6925274 100644
--- a/.github/workflows/release.lock.yml
+++ b/.github/workflows/release.lock.yml
@@ -99,7 +99,7 @@
 #         uses: actions/setup-go@v5
 #         with:
 #           go-version-file: go.mod
-#           cache: true
+#           cache: false  # Disabled for release security - prevent cache poisoning attacks
 #
 #       - name: Download Go modules
 #         run: go mod download
@@ -6271,7 +6271,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
         with:
-          cache: true
+          cache: false
           go-version-file: go.mod
       - name: Download Go modules
         run: go mod download
diff --git a/.github/workflows/release.md b/.github/workflows/release.md
index 520342671f1..ee16e0f63e4 100644
--- a/.github/workflows/release.md
+++ b/.github/workflows/release.md
@@ -76,7 +76,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
-          cache: true
+          cache: false  # Disabled for release security - prevent cache poisoning attacks
 
       - name: Download Go modules
         run: go mod download