[BUG]: zizmor currently flags maturin's generated workflow for `sccache: ${{ !startsWith(github.ref, 'refs/tags/') }}` being vulnerable to a cache poisoning attack

### Pre-submission checks

- [x] I am **not** filing a feature request. These should be filed via the feature request form instead.
- [x] I have checked the [Troubleshooting Guide](https://docs.zizmor.sh/troubleshooting) for my problem.
- [x] I have looked through both the [open](https://github.com/zizmorcore/zizmor/issues?q=is%3Aissue+is%3Aopen+) and [closed](https://github.com/zizmorcore/zizmor/issues?q=is%3Aissue%20state%3Aclosed) issues for a duplicate report.

### zizmor version

1.24.1

### Expected behavior

It was reported in this [issue](https://github.com/PyO3/maturin/issues/2425#issuecomment-2571654034) that the error shown by `zizmor` for `sccache: ${{ !startsWith(github.ref, 'refs/tags/') }}` could be a potential false-positive.

### Actual behavior

`zizmor` currently reports `sccache: ${{ !startsWith(github.ref, 'refs/tags/') }}` as being vulnerable to a cache poisoning attack.

### Reproduction steps

1. Generate a workflow using [`maturin generate-ci`](https://www.maturin.rs/distribution.html?highlight=generate-ci#github-actions)
2. Run `uvx zizmor` on the generated workflow.

### Logs

```plain text
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/build-and-release.yaml:126:9
    |
  8 | / on:
  9 | |   push:
 10 | |     branches:
 11 | |       - master
 12 | |     tags:
 13 | |       - '*'
    | |___________- generally used when publishing artifacts generated at runtime
...
126 |           uses: PyO3/maturin-action@e83996d129638aa358a18fbd1dfb82f0b0fb5d3b # v1.51.0
    |           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this step
127 | /         with:
128 | |           target: ${{ matrix.platform.target }}
129 | |           args: --release --out dist --find-interpreter
130 | |           sccache: ${{ !startsWith(github.ref, 'refs/tags/') }}
    | |_______________________________________________________________- may enable caching here
    |
    = note: audit confidence → Low
    = note: this finding has an auto-fix
```

### Additional context

If it helps this is the [workflow](https://github.com/py-econometrics/pyfixest/blob/master/.github/workflows/build-and-release.yaml) I ran `zizmor` on, and got the error. Additionally locally I also ran `pinact` to pin the commit SHAs, before running `zizmor` on the workflow.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[BUG]: zizmor currently flags maturin's generated workflow for `sccache: ${{ !startsWith(github.ref, 'refs/tags/') }}` being vulnerable to a cache poisoning attack #1940

Pre-submission checks

zizmor version

Expected behavior

Actual behavior

Reproduction steps

Logs

Additional context

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

[BUG]: zizmor currently flags maturin's generated workflow for sccache: ${{ !startsWith(github.ref, 'refs/tags/') }} being vulnerable to a cache poisoning attack #1940

Description

Pre-submission checks

zizmor version

Expected behavior

Actual behavior

Reproduction steps

Logs

Additional context

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

[BUG]: zizmor currently flags maturin's generated workflow for `sccache: ${{ !startsWith(github.ref, 'refs/tags/') }}` being vulnerable to a cache poisoning attack #1940