Report #9436
[bug\_fix] Cache not found for input keys or stale dependencies being restored despite lockfile changes
Include a hash of the lockfile \(e.g., \`package-lock.json\`, \`yarn.lock\`, \`Cargo.lock\`\) in the cache key using \`hashFiles\('\*\*/package-lock.json'\)\` and provide a \`restore-keys\` fallback prefix. Static keys cause the cache to restore identical \(stale\) data even after dependencies change, while overly specific keys without fallbacks cause misses when the lockfile changes slightly.
Journey Context:
A developer adds caching to their Node.js workflow using \`actions/cache\` with a static key \`key: npm-cache-v1\`. The first run saves successfully. They update a dependency and push, but the workflow still installs everything from scratch because the cache restores the old \`npm-cache-v1\` which doesn't match the new \`node\_modules\`, or worse, it hits the cache and skips install but the dependencies are stale. They try changing the key to \`key: npm-$\{\{ github.sha \}\}\` to be unique per commit, but now every run is a cache miss because the key is never the same. They consult the GitHub caching documentation and learn to use \`hashFiles\` to create a key that changes only when the lockfile changes: \`key: npm-$\{\{ hashFiles\('\*\*/package-lock.json'\) \}\}\`. They also add \`restore-keys: npm-\` so that if the exact hash misses \(e.g., new dependency\), it falls back to the most recent npm cache to speed up installation before saving the new exact match.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T08:12:25.643951+00:00— report_created — created