Make Namespace cache setup fail open
This commit is contained in:
parent
dba641035b
commit
2da04bc317
2 changed files with 29 additions and 13 deletions
|
|
@ -19,6 +19,16 @@ portable_mkdir() {
|
|||
command -p mkdir "$@"
|
||||
}
|
||||
|
||||
optional_timeout() {
|
||||
local duration="$1"
|
||||
shift
|
||||
if command -v timeout >/dev/null 2>&1; then
|
||||
timeout "$duration" "$@"
|
||||
else
|
||||
"$@"
|
||||
fi
|
||||
}
|
||||
|
||||
append_bazel_storage_cache() {
|
||||
local bazelrc_path="$1"
|
||||
local cache_root="${BURROW_BAZEL_STORAGE_CACHE:-}"
|
||||
|
|
@ -61,7 +71,9 @@ configure_bazel_remote_cache() {
|
|||
local bazelrc_path
|
||||
bazelrc_path="${NSC_BAZELRC_PATH:-${TMPDIR:-/tmp}/burrow-nsc-cache.bazelrc}"
|
||||
portable_mkdir -p "$(dirname "$bazelrc_path")"
|
||||
if nsc auth check-login >/dev/null 2>&1 && nsc cache bazel setup --bazelrc "$bazelrc_path" >/dev/null 2>&1; then
|
||||
local probe_timeout="${BURROW_NSC_CACHE_PROBE_TIMEOUT:-30s}"
|
||||
if optional_timeout "$probe_timeout" nsc auth check-login >/dev/null 2>&1 &&
|
||||
optional_timeout "$probe_timeout" nsc cache bazel setup --bazelrc "$bazelrc_path" >/dev/null 2>&1; then
|
||||
append_bazel_storage_cache "$bazelrc_path"
|
||||
export BURROW_BAZEL_NSCCACHE_BAZELRC="$bazelrc_path"
|
||||
export BURROW_BAZEL_NSCCACHE_ACTIVE=1
|
||||
|
|
@ -122,18 +134,6 @@ if [[ -n "${GITHUB_ENV:-}" ]]; then
|
|||
echo "NSC_CACHE_PATH=$cache_root" >> "$GITHUB_ENV"
|
||||
fi
|
||||
|
||||
spacectl_bin_dir="${RUNNER_TEMP:-${TMPDIR:-/tmp}}/spacectl-bin"
|
||||
if ! command -v spacectl >/dev/null 2>&1; then
|
||||
if ! bash Scripts/ci/ensure-spacectl.sh; then
|
||||
echo "::warning ::Unable to install spacectl; skipping filesystem cache mount."
|
||||
configure_bazel_remote_cache
|
||||
exit 0
|
||||
fi
|
||||
if [[ -x "${spacectl_bin_dir}/spacectl" ]]; then
|
||||
export PATH="${spacectl_bin_dir}:$PATH"
|
||||
fi
|
||||
fi
|
||||
|
||||
mode_args=()
|
||||
for mode in "$@"; do
|
||||
[[ -z "$mode" ]] && continue
|
||||
|
|
@ -157,6 +157,18 @@ if [[ "${#mode_args[@]}" -eq 0 ]]; then
|
|||
exit 0
|
||||
fi
|
||||
|
||||
spacectl_bin_dir="${RUNNER_TEMP:-${TMPDIR:-/tmp}}/spacectl-bin"
|
||||
if ! command -v spacectl >/dev/null 2>&1; then
|
||||
if ! bash Scripts/ci/ensure-spacectl.sh; then
|
||||
echo "::warning ::Unable to install spacectl; skipping filesystem cache mount."
|
||||
configure_bazel_remote_cache
|
||||
exit 0
|
||||
fi
|
||||
if [[ -x "${spacectl_bin_dir}/spacectl" ]]; then
|
||||
export PATH="${spacectl_bin_dir}:$PATH"
|
||||
fi
|
||||
fi
|
||||
|
||||
portable_mkdir -p "$cache_root" 2>/dev/null || true
|
||||
|
||||
args=(-o json cache mount "--dry_run=false" "--cache_root=${cache_root}" "${mode_args[@]}")
|
||||
|
|
|
|||
|
|
@ -47,6 +47,10 @@ The same change also makes the forge itself the release authority: release tags
|
|||
- `//bazel/apple:release_macos_stamp`
|
||||
These targets wrap the existing Xcode project and give the workflow one stable entrypoint that shares the same Bazel/Nix cache setup while Burrow decides whether deeper `rules_apple` targets are worth the migration.
|
||||
- Use Namespace cache setup before Bazel/Nix work. Prefer the Namespace Bazel remote cache when `nsc` is authenticated and fall back to a local disk/repository cache when remote setup is unavailable.
|
||||
Cache setup is optional release acceleration: Bazel-only cache steps must not
|
||||
install filesystem-cache helpers such as `spacectl`, and Namespace cache
|
||||
probes must be timeout-bounded so Apple builds can continue without the
|
||||
remote cache.
|
||||
- Produce unsigned Apple validation artifacts when signing is absent, but require signing for an App Store requested iOS release and for a Sparkle tester release. Uploadable artifacts are produced only after provisioning profiles can be synced from App Store Connect credentials and the relevant Apple certificate is proven to match the selected Google KMS key.
|
||||
- Resolve release credentials through age/agenix before signed Apple lanes run. Forgejo secrets should carry only the runner age identity fallback and the Authentik WIF client secret until OpenBao can mint the runner token directly. App Store Connect keys and signing certificates live as sealed files under `secrets/`.
|
||||
- Persist the forge runner SSH key as `/var/lib/forgejo-runner-agent/age_keystore` and export `BURROW_RUNNER_AGE_IDENTITY_PATH` so jobs can resolve agenix identities without embedding long-lived material in every workflow.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue