[Incident] Integrate cache forensics task to other workflows

[d-niu]

Why we need to integrate cache uploads during other workflows

After a lot of testing, I realized downloading caches with metadata attributes (name, version, id) proved to be impossible because the exact creation path for the caches are needed for download, by design.

Our best bet moving forward is to integrate:

1. this step into other workflows for the time being
2. empty the existing manually caches again, and
3. check for issues in downloaded caches.

Investigating if caches have been poisoned

Following the cache poisoning attempt, I'm trying to make (and now debug) a workflow to download caches for analysis.
I want to get full cache contents to assess if the malicious payload is self replicating (meaning the linked payload has been added to the caches). In the malicious payload, the following cache key & versions are listed in 'explicitEntries':

[{key:"PFxRDTsQC2CBRTRk3TMxWNYXnd0=",version:"4793076103aa823b0a4c97942d7385d4346f77a3c30a0bad6e0f1d748becbab5"},

{key:"Aktlxw4hnyBVd/vZJbkdxGmq8Tw==",version:"3dbcc4f8dfd5fbbab9759602b7adb19c466cf9edfc277687f97ba9efbdc86d90"},

{key:"n71Gg/JormzoitmBpVjBCZCcL6Y=",version:"0c867ee6264758fbca938e6c6d38a3160cb478f2770da2f831e22e4c9e3720d8"}]

However, these also happen to be the caches of legitimate setup bun components needs in the actions/checkout action, which is probably why they were picked for these repo.

Testing with test-cache-mirror.yml

47a124e

gh workflow run test-cache-mirror.yml --ref d.niu/update-cache-workflow
gh run list --workflow=test-cache-mirror.yml
gh run download 20243979846

Debugging (notes):

1. Updated hardcode list of caches to upload as an artifact
2. Name workflow (allows workflow to appear in 'actions' tab)
3. Trigger on PR for faster testing
4. Change logic to use the existing cache restore workflow

Motivation

Plugin Checklist

• Unit tests.
• Integration tests.
• Benchmarks.
• TypeScript definitions.
• TypeScript tests.
• API documentation.
• CI jobs/workflows.

Additional Notes

[github-actions]

Overall package size

Self size: 3.58 MB
Deduped: 4.47 MB
No deduping: 4.47 MB

Dependency sizes

| name | version | self size | total size | |------|---------|-----------|------------| | import-in-the-middle | 1.15.0 | 127.66 kB | 856.24 kB | | dc-polyfill | 0.1.10 | 26.73 kB | 26.73 kB |

_{🤖 This report was automatically generated by heaviest-objects-in-the-universe}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.77%. Comparing base (b479dad) to head (0208c28).

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #7112   +/-   ##
=======================================
  Coverage   84.77%   84.77%           
=======================================
  Files         521      521           
  Lines       22149    22149           
=======================================
  Hits        18776    18776           
  Misses       3373     3373           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[pr-commenter]

Benchmarks

Benchmark execution time: 2025-12-16 01:14:06

Comparing candidate commit ae17b82 in PR branch d.niu/update-cache-workflow with baseline commit b479dad in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 289 metrics, 31 unstable metrics.