Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

.github/workflows/cd-pypi-cli.yml (1)

46-46: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify setup-bun supports cache input and its default in the pinned commit.
set -euo pipefail

curl -fsSL https://raw.githubusercontent.com/oven-sh/setup-bun/0c5077e51419868618aeaa5fe8019c62421857d6/action.yml \
  | sed -n '1,220p'

# Find all setup-bun uses and whether cache is explicitly configured.
rg -n -C3 'uses:\s*oven-sh/setup-bun@' .github/workflows

Repository: deepnote/deepnote

Length of output: 3070

---

Disable Bun caching at Line 46 using no-cache (not cache)

oven-sh/setup-bun@... (pinned v2) exposes no-cache (default: false); there is no cache input. Set with: no-cache: true on the Setup Bun step.

Suggested fix

      - name: Setup Bun
        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
        with:
          no-cache: true

🧰 Tools

🪛 zizmor (1.25.2)

[error] 46-46: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default

(cache-poisoning)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/cd-pypi-cli.yml at line 46, The Setup Bun action step
(uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6) is
incorrectly attempting to use a non-existent `cache` input; change the step to
pass the correct input by adding `with: no-cache: true` to the "Setup Bun" step
so Bun caching is disabled (use the `no-cache` input rather than `cache`).