Disable npm caching in release workflow

[horgh]

zizmor reports cache-poisoning findings for release.yml (it has a release: published trigger and publishes to npm): a poisoned cache entry restored during a release run could taint the published package. This disables setup-node's package-manager cache in both jobs of that workflow.

This also closes the open zizmor code-scanning alerts on release.yml, which would otherwise fail the code-scanning check on any future PR touching those lines.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated internal build configuration to improve release consistency.

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: bdf09615-cf46-4192-b65d-8b7d4aa2670d

📥 Commits

Reviewing files that changed from the base of the PR and between ae4acd7 and 8bf96b4.

📒 Files selected for processing (1)

• .github/workflows/release.yml

---

📝 Walkthrough

Walkthrough

The release workflow now disables package manager caching in the Node setup for both the build and publish jobs by adding package-manager-cache: false to the actions/setup-node configuration in two locations.

Changes

Release Workflow Caching

Layer / File(s)	Summary
Disable package manager caching in build and publish jobs .github/workflows/release.yml	actions/setup-node configuration is updated with package-manager-cache: false in both the build job and publish job to prevent npm/yarn/pnpm caching during release workflow execution.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 Caches cleared, the workflow flies,
No stale packages in disguise,
Fresh builds release with every run,
GeoIP2's caching fun is done! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately describes the main change: disabling npm caching in the release workflow, which matches the core objective of disabling package-manager caching in setup-node.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch wstorey/fix-zizmor

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}