Bump @actions/cache to 5.1.0, log cache write denied (#758 )

* Bump @actions/cache to 5.1.0, log cache write denied * Add cache save tests * Re-trigger CI
2026-06-23 00:21:15 +03:00 · 2026-06-22 14:14:01 -05:00
11 changed files with 278 additions and 37 deletions
@@ -20,7 +20,7 @@ jobs:
        os: [ubuntu-latest, windows-latest, macos-latest]
        go-version: ['1.25', '1.24']
    steps:
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@v6

      - name: Setup Microsoft build of Go ${{ matrix.go-version }}
        uses: ./
@@ -59,7 +59,7 @@ jobs:
    env:
      GO_DOWNLOAD_BASE_URL: 'https://aka.ms/golang/release/latest'
    steps:
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@v6

      - name: Setup Microsoft build of Go via environment variable
        uses: ./
@@ -95,7 +95,7 @@ jobs:
          - os: macos-latest
            architecture: arm64
    steps:
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@v6

      - name: Setup Microsoft build of Go with architecture
        uses: ./
@@ -116,7 +116,7 @@ jobs:
      matrix:
        os: [ubuntu-latest, windows-latest, macos-latest]
    steps:
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@v6

      - name: Setup Microsoft build of Go with caching
        uses: ./
@@ -14,7 +14,7 @@ jobs:

    steps:
      - name: Checking out
-        uses: actions/checkout@v7
+        uses: actions/checkout@v6
      - name: Publish
        id: publish
        uses: actions/publish-immutable-action@v0.0.4
@@ -20,7 +20,7 @@ jobs:
      matrix:
        os: [ubuntu-latest, windows-latest, macos-latest, macos-latest-large]
    steps:
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@v6
      - name: Setup Go Stable
        uses: ./
        with:
@@ -35,7 +35,7 @@ jobs:
      matrix:
        os: [ubuntu-latest, windows-latest, macos-latest, macos-latest-large]
    steps:
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@v6
      - name: Setup Go oldStable
        uses: ./
        with:
@@ -57,7 +57,7 @@ jobs:
          - os: macos-latest-large
            architecture: x32
    steps:
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@v6
      - name: Setup Go ${{ matrix.version }} ${{ matrix.architecture }}
        uses: ./
        with:
@@ -82,7 +82,7 @@ jobs:
            go: 1.23.2
    steps:
      - name: Checkout
-        uses: actions/checkout@v7
+        uses: actions/checkout@v6

      - name: setup-go ${{ matrix.go }}
        uses: ./
@@ -101,7 +101,7 @@ jobs:
        os: [ubuntu-latest, windows-latest, macos-latest, macos-latest-large]
        go-version: ['1.20', '1.21', '1.22', '1.23']
    steps:
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@v6
      - name: Setup Go and check latest
        uses: ./
        with:
@@ -117,7 +117,7 @@ jobs:
      matrix:
        os: [ubuntu-latest, windows-latest, macos-latest, macos-latest-large]
    steps:
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@v6
      - name: Setup Go and check latest
        uses: ./
        with:
@@ -133,7 +133,7 @@ jobs:
      matrix:
        os: [ubuntu-latest, windows-latest, macos-latest, macos-latest-large]
    steps:
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@v6
      - name: Setup Go and check latest
        uses: ./
        with:
@@ -149,7 +149,7 @@ jobs:
      matrix:
        os: [ubuntu-latest, windows-latest, macos-latest, macos-latest-large]
    steps:
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@v6
      - name: Setup Go and check latest
        uses: ./
        with:
@@ -165,7 +165,7 @@ jobs:
      matrix:
        os: [ubuntu-latest, windows-latest, macos-latest, macos-latest-large]
    steps:
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@v6
      - name: Setup Go from .go-version file
        uses: ./
        with:
@@ -183,7 +183,7 @@ jobs:
        go: [1.20.14, 1.21.10, 1.22.8, 1.23.2]
    steps:
      - name: Checkout
-        uses: actions/checkout@v7
+        uses: actions/checkout@v6

      - name: setup-go ${{ matrix.go }}
        uses: ./
@@ -203,7 +203,7 @@ jobs:
        go: [1.11.12]
    steps:
      - name: Checkout
-        uses: actions/checkout@v7
+        uses: actions/checkout@v6

      - name: setup-go ${{ matrix.go }}
        uses: ./
@@ -231,7 +231,7 @@ jobs:
          - os: macos-latest-large
            architecture: x64
    steps:
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@v6
      - name: Setup Go and check latest
        uses: ./
        with:
@@ -19,7 +19,7 @@ jobs:
        cache: [false, true]
        go: [1.20.1]
    steps:
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@v6

      - name: 'Setup ${{ matrix.cache }}, cache: ${{ matrix.go }}'
        uses: ./
@@ -88,7 +88,7 @@ jobs:
      matrix:
        cache: [false, true]
    steps:
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@v6

      - name: 'Setup default go, cache: ${{ matrix.cache }}'
        uses: ./
@@ -121,7 +121,7 @@ jobs:
        cache: [false]
        go: [1.20.1]
    steps:
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@v6

      - name: 'Setup ${{ matrix.go }}, cache: ${{ matrix.cache }}'
        uses: ./
@@ -1,6 +1,6 @@
 ---
 name: "@actions/cache"
-version: 5.0.5
+version: 5.1.0
 type: npm
 summary: Actions cache lib
 homepage: https://github.com/actions/toolkit/tree/main/packages/cache
@@ -0,0 +1,155 @@
+import * as cache from '@actions/cache';
+import * as core from '@actions/core';
+import fs from 'fs';
+
+import {run} from '../src/cache-save';
+import * as cacheUtils from '../src/cache-utils';
+import {State} from '../src/constants';
+
+describe('cache-save', () => {
+  const primaryKey = 'primary-key';
+
+  let primaryKeyValue: string;
+  let matchedKeyValue: string;
+
+  let getBooleanInputSpy: jest.SpyInstance;
+  let getStateSpy: jest.SpyInstance;
+  let infoSpy: jest.SpyInstance;
+  let warningSpy: jest.SpyInstance;
+  let debugSpy: jest.SpyInstance;
+  let setFailedSpy: jest.SpyInstance;
+  let saveCacheSpy: jest.SpyInstance;
+  let getCacheDirectoryPathSpy: jest.SpyInstance;
+  let existsSpy: jest.SpyInstance;
+
+  beforeEach(() => {
+    primaryKeyValue = primaryKey;
+    matchedKeyValue = 'matched-key';
+
+    getBooleanInputSpy = jest.spyOn(core, 'getBooleanInput');
+    getBooleanInputSpy.mockReturnValue(true);
+
+    getStateSpy = jest.spyOn(core, 'getState');
+    getStateSpy.mockImplementation((key: string) => {
+      if (key === State.CachePrimaryKey) {
+        return primaryKeyValue;
+      }
+      if (key === State.CacheMatchedKey) {
+        return matchedKeyValue;
+      }
+      return '';
+    });
+
+    infoSpy = jest.spyOn(core, 'info');
+    infoSpy.mockImplementation(() => undefined);
+
+    warningSpy = jest.spyOn(core, 'warning');
+    warningSpy.mockImplementation(() => undefined);
+
+    debugSpy = jest.spyOn(core, 'debug');
+    debugSpy.mockImplementation(() => undefined);
+
+    setFailedSpy = jest.spyOn(core, 'setFailed');
+    setFailedSpy.mockImplementation(() => undefined);
+
+    saveCacheSpy = jest.spyOn(cache, 'saveCache');
+    saveCacheSpy.mockImplementation(() => Promise.resolve(0));
+
+    getCacheDirectoryPathSpy = jest.spyOn(cacheUtils, 'getCacheDirectoryPath');
+    getCacheDirectoryPathSpy.mockImplementation(() =>
+      Promise.resolve(['cache_directory_path', 'cache_directory_path'])
+    );
+
+    existsSpy = jest.spyOn(fs, 'existsSync');
+    existsSpy.mockImplementation(() => true);
+  });
+
+  afterEach(() => {
+    jest.restoreAllMocks();
+  });
+
+  it('does not save cache when the cache input is false', async () => {
+    getBooleanInputSpy.mockReturnValue(false);
+
+    await run();
+
+    expect(saveCacheSpy).not.toHaveBeenCalled();
+    expect(warningSpy).not.toHaveBeenCalled();
+    expect(setFailedSpy).not.toHaveBeenCalled();
+  });
+
+  it('does not save cache when there are no cache folders on the disk', async () => {
+    existsSpy.mockImplementation(() => false);
+
+    await run();
+
+    expect(warningSpy).toHaveBeenCalledWith(
+      'There are no cache folders on the disk'
+    );
+    expect(saveCacheSpy).not.toHaveBeenCalled();
+    expect(setFailedSpy).not.toHaveBeenCalled();
+  });
+
+  it('does not save cache when the primary key was not generated', async () => {
+    primaryKeyValue = '';
+
+    await run();
+
+    expect(infoSpy).toHaveBeenCalledWith(
+      'Primary key was not generated. Please check the log messages above for more errors or information'
+    );
+    expect(saveCacheSpy).not.toHaveBeenCalled();
+    expect(setFailedSpy).not.toHaveBeenCalled();
+  });
+
+  it('does not save cache when a cache hit occurred on the primary key', async () => {
+    matchedKeyValue = primaryKey;
+
+    await run();
+
+    expect(infoSpy).toHaveBeenCalledWith(
+      `Cache hit occurred on the primary key ${primaryKey}, not saving cache.`
+    );
+    expect(saveCacheSpy).not.toHaveBeenCalled();
+    expect(setFailedSpy).not.toHaveBeenCalled();
+  });
+
+  it('saves cache when the primary key differs from the matched key', async () => {
+    await run();
+
+    expect(saveCacheSpy).toHaveBeenCalled();
+    expect(infoSpy).toHaveBeenCalledWith(
+      `Cache saved with the key: ${primaryKey}`
+    );
+    expect(warningSpy).not.toHaveBeenCalled();
+    expect(setFailedSpy).not.toHaveBeenCalled();
+  });
+
+  it('save with -1 cacheId , should not fail workflow', async () => {
+    saveCacheSpy.mockImplementation(() => Promise.resolve(-1));
+
+    await run();
+
+    expect(saveCacheSpy).toHaveBeenCalled();
+    expect(debugSpy).toHaveBeenCalledWith(
+      `Cache was not saved for the key: ${primaryKey}`
+    );
+    expect(infoSpy).not.toHaveBeenCalledWith(
+      `Cache saved with the key: ${primaryKey}`
+    );
+    expect(warningSpy).not.toHaveBeenCalled();
+    expect(setFailedSpy).not.toHaveBeenCalled();
+  });
+
+  it('saves with error from toolkit, should not fail workflow', async () => {
+    saveCacheSpy.mockImplementation(() =>
+      Promise.reject(new Error('Unable to reach the service'))
+    );
+
+    await run();
+
+    expect(saveCacheSpy).toHaveBeenCalled();
+    expect(warningSpy).toHaveBeenCalledWith('Unable to reach the service');
+    expect(setFailedSpy).not.toHaveBeenCalled();
+  });
+});
@@ -49,7 +49,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
    });
 };
 Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.FinalizeCacheError = exports.ReserveCacheError = exports.ValidationError = void 0;
+exports.FinalizeCacheError = exports.CacheWriteDeniedError = exports.CACHE_WRITE_DENIED_PREFIX = exports.ReserveCacheError = exports.ValidationError = void 0;
 exports.isFeatureAvailable = isFeatureAvailable;
 exports.restoreCache = restoreCache;
 exports.saveCache = saveCache;
@@ -77,6 +77,26 @@ class ReserveCacheError extends Error {
    }
 }
 exports.ReserveCacheError = ReserveCacheError;
+/**
+ * Stable prefix used by the cache receiver to signal that the token has
+ * no writable scopes (read-only cache policy). Consumers can match on
+ * this prefix to distinguish policy denials from ordinary contention.
+ */
+exports.CACHE_WRITE_DENIED_PREFIX = 'cache write denied:';
+/**
+ * Extends ReserveCacheError for source-compatibility: existing
+ * `instanceof ReserveCacheError` checks and `typedError.name ===
+ * ReserveCacheError.name` paths keep working, while consumers that want to
+ * distinguish a policy denial can check for CacheWriteDeniedError.name.
+ */
+class CacheWriteDeniedError extends ReserveCacheError {
+    constructor(message) {
+        super(message);
+        this.name = 'CacheWriteDeniedError';
+        Object.setPrototypeOf(this, CacheWriteDeniedError.prototype);
+    }
+}
+exports.CacheWriteDeniedError = CacheWriteDeniedError;
 class FinalizeCacheError extends Error {
    constructor(message) {
        super(message);
@@ -387,7 +407,11 @@ function saveCacheV1(paths_1, key_1, options_1) {
                throw new Error((_d = (_c = reserveCacheResponse === null || reserveCacheResponse === void 0 ? void 0 : reserveCacheResponse.error) === null || _c === void 0 ? void 0 : _c.message) !== null && _d !== void 0 ? _d : `Cache size of ~${Math.round(archiveFileSize / (1024 * 1024))} MB (${archiveFileSize} B) is over the data cap limit, not saving cache.`);
            }
            else {
-                throw new ReserveCacheError(`Unable to reserve cache with key ${key}, another job may be creating this cache. More details: ${(_e = reserveCacheResponse === null || reserveCacheResponse === void 0 ? void 0 : reserveCacheResponse.error) === null || _e === void 0 ? void 0 : _e.message}`);
+                const detailMessage = (_e = reserveCacheResponse === null || reserveCacheResponse === void 0 ? void 0 : reserveCacheResponse.error) === null || _e === void 0 ? void 0 : _e.message;
+                if (detailMessage === null || detailMessage === void 0 ? void 0 : detailMessage.startsWith(exports.CACHE_WRITE_DENIED_PREFIX)) {
+                    throw new CacheWriteDeniedError(`Unable to reserve cache with key ${key}. More details: ${detailMessage}`);
+                }
+                throw new ReserveCacheError(`Unable to reserve cache with key ${key}, another job may be creating this cache. More details: ${detailMessage}`);
            }
            core.debug(`Saving Cache (ID: ${cacheId})`);
            yield cacheHttpClient.saveCache(cacheId, archivePath, '', options);
@@ -397,6 +421,9 @@ function saveCacheV1(paths_1, key_1, options_1) {
            if (typedError.name === ValidationError.name) {
                throw error;
            }
+            else if (typedError.name === CacheWriteDeniedError.name) {
+                core.warning(`Failed to save: ${typedError.message}`);
+            }
            else if (typedError.name === ReserveCacheError.name) {
                core.info(`Failed to save: ${typedError.message}`);
            }
@@ -435,6 +462,7 @@ function saveCacheV1(paths_1, key_1, options_1) {
 */
 function saveCacheV2(paths_1, key_1, options_1) {
    return __awaiter(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) {
+        var _a;
        // Override UploadOptions to force the use of Azure
        // ...options goes first because we want to override the default values
        // set in UploadOptions with these specific figures
@@ -470,7 +498,11 @@ function saveCacheV2(paths_1, key_1, options_1) {
            try {
                const response = yield twirpClient.CreateCacheEntry(request);
                if (!response.ok) {
-                    if (response.message) {
+                    // Skip the redundant inner warning when the receiver signalled a
+                    // policy denial: the outer catch arm below will log a single
+                    // customer-facing warning.
+                    if (response.message &&
+                        !response.message.startsWith(exports.CACHE_WRITE_DENIED_PREFIX)) {
                        core.warning(`Cache reservation failed: ${response.message}`);
                    }
                    throw new Error(response.message || 'Response was not ok');
@@ -479,6 +511,10 @@ function saveCacheV2(paths_1, key_1, options_1) {
            }
            catch (error) {
                core.debug(`Failed to reserve cache: ${error}`);
+                const errorMessage = (_a = error === null || error === void 0 ? void 0 : error.message) !== null && _a !== void 0 ? _a : '';
+                if (errorMessage.startsWith(exports.CACHE_WRITE_DENIED_PREFIX)) {
+                    throw new CacheWriteDeniedError(`Unable to reserve cache with key ${key}. More details: ${errorMessage}`);
+                }
                throw new ReserveCacheError(`Unable to reserve cache with key ${key}, another job may be creating this cache.`);
            }
            core.debug(`Attempting to upload cache located at: ${archivePath}`);
@@ -503,6 +539,9 @@ function saveCacheV2(paths_1, key_1, options_1) {
            if (typedError.name === ValidationError.name) {
                throw error;
            }
+            else if (typedError.name === CacheWriteDeniedError.name) {
+                core.warning(`Failed to save: ${typedError.message}`);
+            }
            else if (typedError.name === ReserveCacheError.name) {
                core.info(`Failed to save: ${typedError.message}`);
            }
@@ -46404,6 +46443,10 @@ const cachePackages = () => __awaiter(void 0, void 0, void 0, function* () {
    }
    const cacheId = yield cache.saveCache(cachePaths, primaryKey);
    if (cacheId === -1) {
+        // saveCache returns -1 without throwing when the cache was not saved, e.g.
+        // a reserve collision or a read-only token (fork PR). @actions/cache has
+        // already logged the reason at the appropriate severity, so just trace it.
+        core.debug(`Cache was not saved for the key: ${primaryKey}`);
        return;
    }
    core.info(`Cache saved with the key: ${primaryKey}`);
@@ -87992,7 +88035,7 @@ function randomUUID() {
 /***/ ((module) => {

 "use strict";
-module.exports = /*#__PURE__*/JSON.parse('{"name":"@actions/cache","version":"5.0.5","preview":true,"description":"Actions cache lib","keywords":["github","actions","cache"],"homepage":"https://github.com/actions/toolkit/tree/main/packages/cache","license":"MIT","main":"lib/cache.js","types":"lib/cache.d.ts","directories":{"lib":"lib","test":"__tests__"},"files":["lib","!.DS_Store"],"publishConfig":{"access":"public"},"repository":{"type":"git","url":"git+https://github.com/actions/toolkit.git","directory":"packages/cache"},"scripts":{"audit-moderate":"npm install && npm audit --json --audit-level=moderate > audit.json","test":"echo \\"Error: run tests from root\\" && exit 1","tsc":"tsc"},"bugs":{"url":"https://github.com/actions/toolkit/issues"},"dependencies":{"@actions/core":"^2.0.0","@actions/exec":"^2.0.0","@actions/glob":"^0.5.1","@protobuf-ts/runtime-rpc":"^2.11.1","@actions/http-client":"^3.0.2","@actions/io":"^2.0.0","@azure/abort-controller":"^1.1.0","@azure/core-rest-pipeline":"^1.22.0","@azure/storage-blob":"^12.29.1","semver":"^6.3.1"},"devDependencies":{"@types/node":"^24.1.0","@types/semver":"^6.0.0","@protobuf-ts/plugin":"^2.9.4","typescript":"^5.2.2"},"overrides":{"uri-js":"npm:uri-js-replace@^1.0.1","node-fetch":"^3.3.2"}}');
+module.exports = /*#__PURE__*/JSON.parse('{"name":"@actions/cache","version":"5.1.0","preview":true,"description":"Actions cache lib","keywords":["github","actions","cache"],"homepage":"https://github.com/actions/toolkit/tree/main/packages/cache","license":"MIT","main":"lib/cache.js","types":"lib/cache.d.ts","directories":{"lib":"lib","test":"__tests__"},"files":["lib","!.DS_Store"],"publishConfig":{"access":"public"},"repository":{"type":"git","url":"git+https://github.com/actions/toolkit.git","directory":"packages/cache"},"scripts":{"audit-moderate":"npm install && npm audit --json --audit-level=moderate > audit.json","test":"echo \\"Error: run tests from root\\" && exit 1","tsc":"tsc"},"bugs":{"url":"https://github.com/actions/toolkit/issues"},"dependencies":{"@actions/core":"^2.0.0","@actions/exec":"^2.0.0","@actions/glob":"^0.5.1","@protobuf-ts/runtime-rpc":"^2.11.1","@actions/http-client":"^3.0.2","@actions/io":"^2.0.0","@azure/abort-controller":"^1.1.0","@azure/core-rest-pipeline":"^1.22.0","@azure/storage-blob":"^12.29.1","semver":"^6.3.1"},"devDependencies":{"@types/node":"^24.1.0","@types/semver":"^6.0.0","@protobuf-ts/plugin":"^2.9.4","typescript":"^5.2.2"},"overrides":{"uri-js":"npm:uri-js-replace@^1.0.1","node-fetch":"^3.3.2"}}');

 /***/ })

@@ -49,7 +49,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
    });
 };
 Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.FinalizeCacheError = exports.ReserveCacheError = exports.ValidationError = void 0;
+exports.FinalizeCacheError = exports.CacheWriteDeniedError = exports.CACHE_WRITE_DENIED_PREFIX = exports.ReserveCacheError = exports.ValidationError = void 0;
 exports.isFeatureAvailable = isFeatureAvailable;
 exports.restoreCache = restoreCache;
 exports.saveCache = saveCache;
@@ -77,6 +77,26 @@ class ReserveCacheError extends Error {
    }
 }
 exports.ReserveCacheError = ReserveCacheError;
+/**
+ * Stable prefix used by the cache receiver to signal that the token has
+ * no writable scopes (read-only cache policy). Consumers can match on
+ * this prefix to distinguish policy denials from ordinary contention.
+ */
+exports.CACHE_WRITE_DENIED_PREFIX = 'cache write denied:';
+/**
+ * Extends ReserveCacheError for source-compatibility: existing
+ * `instanceof ReserveCacheError` checks and `typedError.name ===
+ * ReserveCacheError.name` paths keep working, while consumers that want to
+ * distinguish a policy denial can check for CacheWriteDeniedError.name.
+ */
+class CacheWriteDeniedError extends ReserveCacheError {
+    constructor(message) {
+        super(message);
+        this.name = 'CacheWriteDeniedError';
+        Object.setPrototypeOf(this, CacheWriteDeniedError.prototype);
+    }
+}
+exports.CacheWriteDeniedError = CacheWriteDeniedError;
 class FinalizeCacheError extends Error {
    constructor(message) {
        super(message);
@@ -387,7 +407,11 @@ function saveCacheV1(paths_1, key_1, options_1) {
                throw new Error((_d = (_c = reserveCacheResponse === null || reserveCacheResponse === void 0 ? void 0 : reserveCacheResponse.error) === null || _c === void 0 ? void 0 : _c.message) !== null && _d !== void 0 ? _d : `Cache size of ~${Math.round(archiveFileSize / (1024 * 1024))} MB (${archiveFileSize} B) is over the data cap limit, not saving cache.`);
            }
            else {
-                throw new ReserveCacheError(`Unable to reserve cache with key ${key}, another job may be creating this cache. More details: ${(_e = reserveCacheResponse === null || reserveCacheResponse === void 0 ? void 0 : reserveCacheResponse.error) === null || _e === void 0 ? void 0 : _e.message}`);
+                const detailMessage = (_e = reserveCacheResponse === null || reserveCacheResponse === void 0 ? void 0 : reserveCacheResponse.error) === null || _e === void 0 ? void 0 : _e.message;
+                if (detailMessage === null || detailMessage === void 0 ? void 0 : detailMessage.startsWith(exports.CACHE_WRITE_DENIED_PREFIX)) {
+                    throw new CacheWriteDeniedError(`Unable to reserve cache with key ${key}. More details: ${detailMessage}`);
+                }
+                throw new ReserveCacheError(`Unable to reserve cache with key ${key}, another job may be creating this cache. More details: ${detailMessage}`);
            }
            core.debug(`Saving Cache (ID: ${cacheId})`);
            yield cacheHttpClient.saveCache(cacheId, archivePath, '', options);
@@ -397,6 +421,9 @@ function saveCacheV1(paths_1, key_1, options_1) {
            if (typedError.name === ValidationError.name) {
                throw error;
            }
+            else if (typedError.name === CacheWriteDeniedError.name) {
+                core.warning(`Failed to save: ${typedError.message}`);
+            }
            else if (typedError.name === ReserveCacheError.name) {
                core.info(`Failed to save: ${typedError.message}`);
            }
@@ -435,6 +462,7 @@ function saveCacheV1(paths_1, key_1, options_1) {
 */
 function saveCacheV2(paths_1, key_1, options_1) {
    return __awaiter(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) {
+        var _a;
        // Override UploadOptions to force the use of Azure
        // ...options goes first because we want to override the default values
        // set in UploadOptions with these specific figures
@@ -470,7 +498,11 @@ function saveCacheV2(paths_1, key_1, options_1) {
            try {
                const response = yield twirpClient.CreateCacheEntry(request);
                if (!response.ok) {
-                    if (response.message) {
+                    // Skip the redundant inner warning when the receiver signalled a
+                    // policy denial: the outer catch arm below will log a single
+                    // customer-facing warning.
+                    if (response.message &&
+                        !response.message.startsWith(exports.CACHE_WRITE_DENIED_PREFIX)) {
                        core.warning(`Cache reservation failed: ${response.message}`);
                    }
                    throw new Error(response.message || 'Response was not ok');
@@ -479,6 +511,10 @@ function saveCacheV2(paths_1, key_1, options_1) {
            }
            catch (error) {
                core.debug(`Failed to reserve cache: ${error}`);
+                const errorMessage = (_a = error === null || error === void 0 ? void 0 : error.message) !== null && _a !== void 0 ? _a : '';
+                if (errorMessage.startsWith(exports.CACHE_WRITE_DENIED_PREFIX)) {
+                    throw new CacheWriteDeniedError(`Unable to reserve cache with key ${key}. More details: ${errorMessage}`);
+                }
                throw new ReserveCacheError(`Unable to reserve cache with key ${key}, another job may be creating this cache.`);
            }
            core.debug(`Attempting to upload cache located at: ${archivePath}`);
@@ -503,6 +539,9 @@ function saveCacheV2(paths_1, key_1, options_1) {
            if (typedError.name === ValidationError.name) {
                throw error;
            }
+            else if (typedError.name === CacheWriteDeniedError.name) {
+                core.warning(`Failed to save: ${typedError.message}`);
+            }
            else if (typedError.name === ReserveCacheError.name) {
                core.info(`Failed to save: ${typedError.message}`);
            }
@@ -94113,7 +94152,7 @@ function randomUUID() {
 /***/ ((module) => {

 "use strict";
-module.exports = /*#__PURE__*/JSON.parse('{"name":"@actions/cache","version":"5.0.5","preview":true,"description":"Actions cache lib","keywords":["github","actions","cache"],"homepage":"https://github.com/actions/toolkit/tree/main/packages/cache","license":"MIT","main":"lib/cache.js","types":"lib/cache.d.ts","directories":{"lib":"lib","test":"__tests__"},"files":["lib","!.DS_Store"],"publishConfig":{"access":"public"},"repository":{"type":"git","url":"git+https://github.com/actions/toolkit.git","directory":"packages/cache"},"scripts":{"audit-moderate":"npm install && npm audit --json --audit-level=moderate > audit.json","test":"echo \\"Error: run tests from root\\" && exit 1","tsc":"tsc"},"bugs":{"url":"https://github.com/actions/toolkit/issues"},"dependencies":{"@actions/core":"^2.0.0","@actions/exec":"^2.0.0","@actions/glob":"^0.5.1","@protobuf-ts/runtime-rpc":"^2.11.1","@actions/http-client":"^3.0.2","@actions/io":"^2.0.0","@azure/abort-controller":"^1.1.0","@azure/core-rest-pipeline":"^1.22.0","@azure/storage-blob":"^12.29.1","semver":"^6.3.1"},"devDependencies":{"@types/node":"^24.1.0","@types/semver":"^6.0.0","@protobuf-ts/plugin":"^2.9.4","typescript":"^5.2.2"},"overrides":{"uri-js":"npm:uri-js-replace@^1.0.1","node-fetch":"^3.3.2"}}');
+module.exports = /*#__PURE__*/JSON.parse('{"name":"@actions/cache","version":"5.1.0","preview":true,"description":"Actions cache lib","keywords":["github","actions","cache"],"homepage":"https://github.com/actions/toolkit/tree/main/packages/cache","license":"MIT","main":"lib/cache.js","types":"lib/cache.d.ts","directories":{"lib":"lib","test":"__tests__"},"files":["lib","!.DS_Store"],"publishConfig":{"access":"public"},"repository":{"type":"git","url":"git+https://github.com/actions/toolkit.git","directory":"packages/cache"},"scripts":{"audit-moderate":"npm install && npm audit --json --audit-level=moderate > audit.json","test":"echo \\"Error: run tests from root\\" && exit 1","tsc":"tsc"},"bugs":{"url":"https://github.com/actions/toolkit/issues"},"dependencies":{"@actions/core":"^2.0.0","@actions/exec":"^2.0.0","@actions/glob":"^0.5.1","@protobuf-ts/runtime-rpc":"^2.11.1","@actions/http-client":"^3.0.2","@actions/io":"^2.0.0","@azure/abort-controller":"^1.1.0","@azure/core-rest-pipeline":"^1.22.0","@azure/storage-blob":"^12.29.1","semver":"^6.3.1"},"devDependencies":{"@types/node":"^24.1.0","@types/semver":"^6.0.0","@protobuf-ts/plugin":"^2.9.4","typescript":"^5.2.2"},"overrides":{"uri-js":"npm:uri-js-replace@^1.0.1","node-fetch":"^3.3.2"}}');

 /***/ })

@@ -1,15 +1,15 @@
 {
  "name": "setup-go",
-  "version": "6.2.0",
+  "version": "6.3.0",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "setup-go",
-      "version": "6.2.0",
+      "version": "6.3.0",
      "license": "MIT",
      "dependencies": {
-        "@actions/cache": "^5.0.5",
+        "@actions/cache": "^5.1.0",
        "@actions/core": "^2.0.3",
        "@actions/exec": "^2.0.0",
        "@actions/glob": "^0.5.1",
@@ -41,9 +41,9 @@
      }
    },
    "node_modules/@actions/cache": {
-      "version": "5.0.5",
-      "resolved": "https://registry.npmjs.org/@actions/cache/-/cache-5.0.5.tgz",
-      "integrity": "sha512-jiQSg0gfd+C2KPgcmdCOq7dCuCIQQWQ4b1YfGIRaaA9w7PJbRwTOcCz4LiFEUnqZGf0ha/8OKL3BeNwetHzYsQ==",
+      "version": "5.1.0",
+      "resolved": "https://registry.npmjs.org/@actions/cache/-/cache-5.1.0.tgz",
+      "integrity": "sha512-kTIj4YPrjjRPKSGlj7f8eq+Pijoy/SKBEbJcAwNsQTFGEF29NGqj1mqD02/PmhV6r4bRAixycexAWpmUJ2aCwg==",
      "license": "MIT",
      "dependencies": {
        "@actions/core": "^2.0.0",
@@ -1,6 +1,6 @@
 {
  "name": "setup-go",
-  "version": "6.2.0",
+  "version": "6.3.0",
  "private": true,
  "description": "setup go action",
  "main": "lib/setup-go.js",
@@ -28,7 +28,7 @@
  "author": "GitHub",
  "license": "MIT",
  "dependencies": {
-    "@actions/cache": "^5.0.5",
+    "@actions/cache": "^5.1.0",
    "@actions/core": "^2.0.3",
    "@actions/exec": "^2.0.0",
    "@actions/glob": "^0.5.1",
@@ -81,6 +81,10 @@ const cachePackages = async () => {

  const cacheId = await cache.saveCache(cachePaths, primaryKey);
  if (cacheId === -1) {
+    // saveCache returns -1 without throwing when the cache was not saved, e.g.
+    // a reserve collision or a read-only token (fork PR). @actions/cache has
+    // already logged the reason at the appropriate severity, so just trace it.
+    core.debug(`Cache was not saved for the key: ${primaryKey}`);
    return;
  }
  core.info(`Cache saved with the key: ${primaryKey}`);