[plan] Fix cache poisoning vulnerability in release workflow

[github-actions]

Objective

Eliminate the cache poisoning vulnerability in the release workflow by disabling Go module caching for release builds.

Context

Severity: High
Tool: zizmor
Reference: cache-poisoning
Location: .github/workflows/release.lock.yml:382:1

The release workflow uses Go module caching which could allow an attacker to inject malicious code into the build cache, compromising release integrity. For release workflows, security must take priority over speed.

Approach

1. Edit .github/workflows/release.md (the source markdown file)
2. Locate the "Set up Go" step (around lines 75-79)
3. Change cache: true to cache: false with explanatory comment
4. Recompile the workflow using make recompile
5. Verify the fix with zizmor

Files to Modify

• Edit: .github/workflows/release.md (source file)
• Generated: .github/workflows/release.lock.yml (via recompile)

Current Code

- name: Set up Go
  uses: actions/setup-go@v5
  with:
    go-version-file: go.mod
    cache: true

Recommended Fix

- name: Set up Go
  uses: actions/setup-go@v5
  with:
    go-version-file: go.mod
    cache: false  # Disabled for release security - prevent cache poisoning attacks

Acceptance Criteria

• Caching disabled in release.md source file
• Workflow recompiled with make recompile
• Security comment added explaining the change
• Zizmor scan shows cache-poisoning warning resolved
• Release workflow still functions correctly (test on non-production tag if possible)

Why This Matters

• Release workflows are the most sensitive operation (publishing artifacts)
• Cache poisoning could compromise all releases distributed to users
• The workflow already runs infrequently (only on tags), so build time is less critical
• Following security best practices for supply chain protection
  Related to [plan] Address security findings from static analysis scan #5866

AI generated by Plan Command for discussion #5845