Cache key never misses¶
Rule ID |
|
|---|---|
Category |
performance |
Severity |
medium |
Cache key does not include a hash of the lockfile, meaning the cache never invalidates when dependencies change.
Detection¶
static_analysis — Checks field presence or value in the workflow YAML.
Examples¶
Non-compliant:
jobs:
build:
steps:
- uses: actions/cache@v4
with:
path: ~/.npm
key: ${{ runner.os }}-node
Compliant:
jobs:
build:
steps:
- uses: actions/cache@v4
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: ${{ runner.os }}-node-
Fix: Include hashFiles() of your lockfile in the cache key so the cache invalidates when dependencies change.