This is GitHub FU.

Key issue here is cache poisoning, that is feature/bug that exist in utility functions/actions provided by Github.

Even if there was misconfiguration on tanstack side, then root cause is on. GH for even allowing insecure workflows to interfere with secure ones.

Here people are trying to fix defaults - not to write cache in insecure context -> https://github.com/actions/cache/issues/1756

(even if sufficiely smart attacker would find the key somewhere and skip this kind of prodection, not sure where but write-allowing-key it must exist somewhere in runtime if actions/cache can us it)

Someone else on this thread:

> On GitLab even if you set the same cache key it will not cross between unprotected and protected runs.