Commit 2026-02-18 23:09 c4dcefdc

ci: Secure proofwidgets fetches on cache get (#35463) When calling lake exe cache get in the CI we happily say "only runs cache get from tools-branch, so doesn't need to be inside landrun". However, it turns out that cache get is not that innocent: it performs a full lake -v build proofwidgets:release in the PR branch context. This means I can point proofwidgets in the lake-manifest.json to whatever I want, and now run arbitrary code outside of landrun. To protect against this, this PR:

• adds an dependency verification for proofwidget, so that it only comes from the 'trusted' source
• tries to avoid the build altogether in cache get, defaulting to skipping in github actions, but adding a flag so that we can do it if we want