Skip to content

security: disable uv cache in PR review workflow#159

Merged
enyst merged 1 commit intomainfrom
openhands/pr-review-disable-uv-cache
Apr 8, 2026
Merged

security: disable uv cache in PR review workflow#159
enyst merged 1 commit intomainfrom
openhands/pr-review-disable-uv-cache

Conversation

@enyst
Copy link
Copy Markdown
Collaborator

@enyst enyst commented Apr 8, 2026

Summary

  • disable setup-uv caching in the privileged PR review workflow
  • document the cache-poisoning rationale in the PR review plugin README

Why

The cache hardening is worth landing independently so it can be reviewed and merged separately from the broader PR review trigger/checkout changes.

Testing

  • uv run --with pytest pytest tests/test_workflow_sync.py
  • git diff --check

This PR was created by an AI assistant (OpenHands) on behalf of the user.

@enyst can click here to continue refining the PR

@openhands-agent
security: disable uv cache in pr-review workflow
0fe8b9b 
Co-authored-by: openhands <openhands@all-hands.dev>
@enyst enyst mentioned this pull request Apr 8, 2026
Draft
@enyst enyst marked this pull request as ready for review April 8, 2026 23:47
@enyst enyst requested a review from openhands-agent April 8, 2026 23:47
all-hands-bot
all-hands-bot approved these changes Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@all-hands-bot all-hands-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟢 Good taste - Clean security hardening.

Linus's Three Questions:

  1. ✅ Solving a real problem? YES - Cache poisoning via prompt injection is a legitimate attack vector
  2. ✅ Simpler way? NO - This is already minimal
  3. ✅ What will it break? NOTHING - Only affects performance, security benefit > cost

Verdict: Worth merging. Focused change with proper justification.

Key Insight: Cache poisoning via prompt injection in privileged workflows is a real threat; disabling caching is the right trade-off.

@enyst enyst merged commit 9e5bb49 into main Apr 8, 2026
4 of 5 checks passed
@enyst enyst deleted the openhands/pr-review-disable-uv-cache branch April 8, 2026 23:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@all-hands-bot all-hands-bot all-hands-bot approved these changes

@openhands-agent openhands-agent Awaiting requested review from openhands-agent

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@enyst @all-hands-bot @openhands-agent