Defer cache-memory updates until after successful threat detection

[Copilot]

Cache-memory was being updated in the agent job before threat detection completed, allowing potentially malicious content to persist. This change defers cache updates until after detection succeeds.

Changes

• Agent job: Uses actions/cache/restore (read-only) when threat detection is enabled; uploads artifacts with if: always()
• New update_cache_memory job: Runs after successful detection, downloads artifacts, saves to cache using actions/cache/save@v4
• Backward compatibility: Workflows without threat detection continue using actions/cache (read+write) as before

Example

Before (cache updated regardless of detection):

agent:
  steps:
    - uses: actions/cache@v4  # reads AND writes
      with:
        key: memory-${{ github.run_id }}

After (cache updated only after detection succeeds):

agent:
  steps:
    - uses: actions/cache/restore@v4  # read-only
      with:
        key: memory-${{ github.run_id }}
    - uses: actions/upload-artifact@v5
      if: always()

update_cache_memory:
  needs: [agent, detection]
  if: needs.detection.outputs.success == 'true'
  steps:
    - uses: actions/download-artifact@v6
    - uses: actions/cache/save@v4  # write

Multiple cache entries are handled correctly with consistent naming.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/user
  • Triggering command: /usr/bin/gh gh api user --jq .login -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go b-ag�� s/ GO111MODULE ache/go/1.25.0/x64/pkg/tool/linujson GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/x--json (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login xe5-kBtB_ GO111MODULE epo GOINSECURE GOMOD GOMODCACHE ortcfg env edcfg GO111MODULE ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login entics.git GO111MODULE a141d60914e5923a579edacd3426772d749/log.json GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet env -json GO111MODULE 3789871/b355/styles.test GOINSECURE GOMOD GOMODCACHE 3789871/b355/sty-address (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Cache update</issue_title>
<issue_description>Update the compiler to update cache-memories only if detection was successful

• in the agentic job, upload memories as artifact, do not update caches at the end of the job. Current artifact creation is too early
• in the detection job, download cache memory and cache memory artifact, if detection found no threat, copy artifact content to cache folder so that it gets updated
• if detection is disable, update cache in agent job</issue_description>

Comments on the Issue (you are @copilot in this section)

@pelikhan /plan

• Fixes Cache update #5760

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.