What I don't get is how the GitHub Action cache is shared between unprotected and protected refs. Is that really the case?
replyWhy even have protected branch rules when anyone with write access to an unprotected branch can poison the Action cache and compromise the CI on the next protected branch run?
In GitLab CI caches are not shared between unprotected and protected runs.
From a GitHub product owner POV, if the architecture is not to be changed, what is the solution?
replyA big ugly warning in the UI?
Or, push back on the architecture?
Or, is threatening a big ugly warning in the UI actually pushing back on the architecture?
Many projects kind of take a different approach where for pull requests CI is not run until approvals from maintainers are given even for very simple jobs to avoid untrusted code running in ci.
reply