Merge pull request 'feat: add cache action' (#18) from feature/cache into main

Reviewed-on: #18 Reviewed-by: Markus.Opahle@schmalz.de <Markus.Opahle@schmalz.de>
2026-05-05 12:12:11 +00:00 · 2026-05-05 12:12:11 +00:00 · 5df90fed35
commit 5df90fed35
parent 65b5f623c1 1e68ce68c7
4 changed files with 107 additions and 0 deletions
--- a/.forgejo/workflows/tag-release.yml
+++ b/.forgejo/workflows/tag-release.yml
@ -16,6 +16,7 @@ on:
          - aikido-full-scan
          - aikido-pr-scan
          - aws-configure
+          - cache
          - checkout
          - pnpm-build
          - publish-static-contents
--- a/README.md
+++ b/README.md
@ -9,6 +9,7 @@ Shared actions for Forgejo CI/CD pipelines.
 | [aikido-full-scan](aikido-full-scan) | Aikido full scan |
 | [aikido-pr-scan](aikido-pr-scan) | Aikido PR scan |
 | [aws-configure](aws-configure) | Authenticate with AWS via OIDC |
+| [cache](cache) | Cache files between workflow runs |
 | [checkout](checkout) | Action for checking out a repository |
 | [pnpm-build](pnpm-build) | Action for building and validating with PNPM |
 | [publish-static-contents](publish-static-contents) | Syncs frontend assets to S3 and invalidates a CloudFront distribution |
--- a/cache/README.md
+++ b/cache/README.md
@ -0,0 +1,51 @@
+# cache
+
+Composite wrapper around actions/cache pinned to a specific commit SHA to prevent supply chain attacks via tag or branch hijacking.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `path` | Yes | — | List of files, directories, and wildcard patterns to cache and restore |
+| `key` | Yes | — | An explicit key for saving and restoring the cache |
+| `restore-keys` | No | `''` | Ordered multiline string of prefix-matched keys used for restoring stale cache |
+| `upload-chunk-size` | No | `''` | Chunk size in bytes used to split large files during upload |
+| `enableCrossOsArchive` | No | `false` | Allow caches saved on one OS to be restored on another |
+| `fail-on-cache-miss` | No | `false` | Fail the workflow if no cache entry is found |
+| `lookup-only` | No | `false` | Check if a cache entry exists without downloading it |
+
+## Outputs
+
+| Output | Description |
+|--------|-------------|
+| `cache-hit` | `true` if an exact match was found for the primary key |
+
+## Usage
+
+```yaml
+- name: Cache pnpm store
+  uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/cache@cache-v1
+  with:
+    path: ~/.local/share/pnpm/store
+    key: ${{ runner.os }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }}
+    restore-keys: |
+      ${{ runner.os }}-pnpm-
+```
+
+```yaml
+- name: Cache node_modules
+  id: node-modules-cache
+  uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/cache@cache-v1
+  with:
+    path: node_modules
+    key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+
+- name: Install dependencies
+  if: steps.node-modules-cache.outputs.cache-hit != 'true'
+  run: npm ci
+```
+
+## Notes
+
+- Pinned to `actions/cache` commit SHA `0057852b` (v4.3.0) to prevent supply chain attacks via tag or branch hijacking.
+- Upstream action: [code.forgejo.org/actions/cache](https://code.forgejo.org/actions/cache).
--- a/cache/action.yml
+++ b/cache/action.yml
@ -0,0 +1,54 @@
+name: Schmalz Cache
+description: >
+  Composite wrapper around actions/cache pinned to a specific commit SHA
+  to prevent supply chain attacks via tag or branch hijacking.
+
+inputs:
+  path:
+    description: A list of files, directories, and wildcard patterns to cache and restore.
+    required: true
+  key:
+    description: An explicit key for saving and restoring the cache.
+    required: true
+  restore-keys:
+    description: An ordered multiline string listing prefix-matched keys used for restoring stale cache if no cache hit occurred for key.
+    required: false
+    default: ''
+  upload-chunk-size:
+    description: The chunk size used to split up large files during upload, in bytes.
+    required: false
+    default: ''
+  enableCrossOsArchive:
+    description: When enabled, allows Windows runners to save or restore caches that can be used on other platforms.
+    required: false
+    default: 'false'
+  fail-on-cache-miss:
+    description: Fail the workflow if cache entry is not found.
+    required: false
+    default: 'false'
+  lookup-only:
+    description: Check if a cache entry exists for the given input(s) without downloading the cache.
+    required: false
+    default: 'false'
+
+outputs:
+  cache-hit:
+    description: A boolean value to indicate an exact match was found for the primary key.
+    value: ${{ steps.cache.outputs.cache-hit }}
+
+runs:
+  using: composite
+  steps:
+    # Pinned to commit SHA instead of a tag to prevent supply chain attacks.
+    # actions/cache v4.3.0 — https://code.forgejo.org/actions/cache/commits/tag/v4.3.0
+    - name: Cache
+      id: cache
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830
+      with:
+        path: ${{ inputs.path }}
+        key: ${{ inputs.key }}
+        restore-keys: ${{ inputs.restore-keys }}
+        upload-chunk-size: ${{ inputs.upload-chunk-size }}
+        enableCrossOsArchive: ${{ inputs.enableCrossOsArchive }}
+        fail-on-cache-miss: ${{ inputs.fail-on-cache-miss }}
+        lookup-only: ${{ inputs.lookup-only }}