Add cache-write input for read-only cache mode by salmanmkc · Pull Request #1284 · actions/setup-python

Right now if you use cache: pip (or pipenv/poetry) in a PR workflow, the action restores and saves the cache. There's no way to get read-only mode where you benefit from existing caches without writing back. This matters for cache poisoning — an untrusted PR could plant bad packages in the cache that later get picked up by pushes to main.

This adds a cache-write input (defaults to true, no breaking change). Set it to false to skip the post-step save.

Usage:

- uses: actions/setup-python@v6
  with:
    python-version: "3.12"
    cache: pip
    cache-write: ${{ github.event_name != 'pull_request' }}

What changed:

• action.yml — new cache-write input
• src/cache-save.ts — early return when cache-write is false
• dist/ — rebuilt

Same change going into setup-node, setup-go, setup-java, setup-dotnet.