Disable Go module caching in release workflow to prevent cache poisoning

[Copilot]

The release workflow's Go module cache creates a supply chain vulnerability where an attacker could inject malicious code into cached dependencies, compromising all published artifacts.

Changes

• Set cache: false in the generate-sbom job's Go setup step (.github/workflows/release.md line 79)
• Added inline comment explaining the security rationale
• Recompiled workflow to apply changes to .github/workflows/release.lock.yml

Before

- name: Set up Go
  uses: actions/setup-go@v5
  with:
    go-version-file: go.mod
    cache: true

After

- name: Set up Go
  uses: actions/setup-go@v5
  with:
    go-version-file: go.mod
    cache: false  # Disabled for release security - prevent cache poisoning attacks

The performance trade-off is negligible—release workflows run only on version tags, and build time is not critical compared to ensuring artifact integrity.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[plan] Fix cache poisoning vulnerability in release workflow</issue_title>
<issue_description>## Objective

Eliminate the cache poisoning vulnerability in the release workflow by disabling Go module caching for release builds.

Context

Severity: High
Tool: zizmor
Reference: cache-poisoning
Location: .github/workflows/release.lock.yml:382:1

The release workflow uses Go module caching which could allow an attacker to inject malicious code into the build cache, compromising release integrity. For release workflows, security must take priority over speed.

Approach

1. Edit .github/workflows/release.md (the source markdown file)
2. Locate the "Set up Go" step (around lines 75-79)
3. Change cache: true to cache: false with explanatory comment
4. Recompile the workflow using make recompile
5. Verify the fix with zizmor

Files to Modify

• Edit: .github/workflows/release.md (source file)
• Generated: .github/workflows/release.lock.yml (via recompile)

Current Code

- name: Set up Go
  uses: actions/setup-go@v5
  with:
    go-version-file: go.mod
    cache: true

Recommended Fix

- name: Set up Go
  uses: actions/setup-go@v5
  with:
    go-version-file: go.mod
    cache: false  # Disabled for release security - prevent cache poisoning attacks

Acceptance Criteria

• Caching disabled in release.md source file
• Workflow recompiled with make recompile
• Security comment added explaining the change
• Zizmor scan shows cache-poisoning warning resolved
• Release workflow still functions correctly (test on non-production tag if possible)

Why This Matters

• Release workflows are the most sensitive operation (publishing artifacts)
• Cache poisoning could compromise all releases distributed to users
• The workflow already runs infrequently (only on tags), so build time is less critical
• Following security best practices for supply chain protection
  Related to [plan] Address security findings from static analysis scan #5866

AI generated by Plan Command for discussion #5845

Comments on the Issue (you are @copilot in this section)

• Fixes [plan] Fix cache poisoning vulnerability in release workflow #5867

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.