From 9b5580e861df477ca0c2b37eebca92f52d2fee52 Mon Sep 17 00:00:00 2001
From: Jesse Houwing <jesse.houwing@gmail.com>
Date: Tue, 12 May 2026 09:03:28 +0200
Subject: [PATCH] Add note on `pull_request_target` exception for actions/cache
 usage

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index 6cb71e7..e88b4cd 100644
--- a/README.md
+++ b/README.md
@@ -179,6 +179,8 @@ jobs:
 
 > **Note**
 > You must use the `cache` or `restore` action in your workflow before you need to use the files that might be restored from the cache. If the provided `key` matches an existing cache, a new cache is not created and if the provided `key` doesn't match an existing cache, a new cache is automatically created provided the job completes successfully.
+>
+> **`pull_request_target` exception:** When `actions/cache` is used in a `pull_request_target` workflow, the automatic post-step save is **skipped**. This is a security measure to prevent untrusted pull request code from poisoning caches accessible to privileged workflows. If really you need to save a cache in a trusted `pull_request_target` context (e.g., after validating the PR source), use [`actions/cache/save`](./save/README.md) explicitly with an appropriate `if` condition.
 
 ## Caching Strategies