GitHub Actions limits cache access for untrusted triggers

GitHub Actions now issues read-only cache tokens to the default branch for workflow events triggered without write permissions, preventing cache poisoning and privilege escalation. This change applies to untrusted events like pull_request_target and fork-pull-request workflow_run cascades when the cache scope is the default branch SHA. Restores remain unaffected.

Workflows triggered by untrusted events writing to the default-branch cache will now receive a warning and fail to save cache entries. To retain caching benefits, a separate workflow triggered by an event with read-write cache access, such as 'push', is required for cache saves.

The most common workflow triggers that write to the default-branch cache, including push, schedule, and workflow_dispatch, continue to have full read-write caching. Triggers using a non-default-branch scope, such as pull_request and release, also retain read-write permissions.