Cache key never misses
======================

.. list-table::
   :stub-columns: 1
   :widths: 20 80

   * - Rule ID
     - ``cache_key_too_broad``
   * - Category
     - performance
   * - Severity
     - medium

Cache key does not include a hash of the lockfile, meaning the cache never invalidates when dependencies change.

Detection
---------

``static_analysis`` — Checks field presence or value in the workflow YAML.

Examples
--------

**Non-compliant:**

.. code-block:: yaml

   jobs:
     build:
       steps:
         - uses: actions/cache@v4
           with:
             path: ~/.npm
             key: ${{ runner.os }}-node

**Compliant:**

.. code-block:: yaml

   jobs:
     build:
       steps:
         - uses: actions/cache@v4
           with:
             path: ~/.npm
             key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
             restore-keys: ${{ runner.os }}-node-

**Fix**: Include hashFiles() of your lockfile in the cache key so the cache invalidates when dependencies change.