diff --git a/Scripts/ci/nscloud-cache.sh b/Scripts/ci/nscloud-cache.sh index ea4f68a..03ac347 100755 --- a/Scripts/ci/nscloud-cache.sh +++ b/Scripts/ci/nscloud-cache.sh @@ -19,6 +19,16 @@ portable_mkdir() { command -p mkdir "$@" } +optional_timeout() { + local duration="$1" + shift + if command -v timeout >/dev/null 2>&1; then + timeout "$duration" "$@" + else + "$@" + fi +} + append_bazel_storage_cache() { local bazelrc_path="$1" local cache_root="${BURROW_BAZEL_STORAGE_CACHE:-}" @@ -61,7 +71,9 @@ configure_bazel_remote_cache() { local bazelrc_path bazelrc_path="${NSC_BAZELRC_PATH:-${TMPDIR:-/tmp}/burrow-nsc-cache.bazelrc}" portable_mkdir -p "$(dirname "$bazelrc_path")" - if nsc auth check-login >/dev/null 2>&1 && nsc cache bazel setup --bazelrc "$bazelrc_path" >/dev/null 2>&1; then + local probe_timeout="${BURROW_NSC_CACHE_PROBE_TIMEOUT:-30s}" + if optional_timeout "$probe_timeout" nsc auth check-login >/dev/null 2>&1 && + optional_timeout "$probe_timeout" nsc cache bazel setup --bazelrc "$bazelrc_path" >/dev/null 2>&1; then append_bazel_storage_cache "$bazelrc_path" export BURROW_BAZEL_NSCCACHE_BAZELRC="$bazelrc_path" export BURROW_BAZEL_NSCCACHE_ACTIVE=1 @@ -122,18 +134,6 @@ if [[ -n "${GITHUB_ENV:-}" ]]; then echo "NSC_CACHE_PATH=$cache_root" >> "$GITHUB_ENV" fi -spacectl_bin_dir="${RUNNER_TEMP:-${TMPDIR:-/tmp}}/spacectl-bin" -if ! command -v spacectl >/dev/null 2>&1; then - if ! bash Scripts/ci/ensure-spacectl.sh; then - echo "::warning ::Unable to install spacectl; skipping filesystem cache mount." - configure_bazel_remote_cache - exit 0 - fi - if [[ -x "${spacectl_bin_dir}/spacectl" ]]; then - export PATH="${spacectl_bin_dir}:$PATH" - fi -fi - mode_args=() for mode in "$@"; do [[ -z "$mode" ]] && continue @@ -157,6 +157,18 @@ if [[ "${#mode_args[@]}" -eq 0 ]]; then exit 0 fi +spacectl_bin_dir="${RUNNER_TEMP:-${TMPDIR:-/tmp}}/spacectl-bin" +if ! command -v spacectl >/dev/null 2>&1; then + if ! bash Scripts/ci/ensure-spacectl.sh; then + echo "::warning ::Unable to install spacectl; skipping filesystem cache mount." + configure_bazel_remote_cache + exit 0 + fi + if [[ -x "${spacectl_bin_dir}/spacectl" ]]; then + export PATH="${spacectl_bin_dir}:$PATH" + fi +fi + portable_mkdir -p "$cache_root" 2>/dev/null || true args=(-o json cache mount "--dry_run=false" "--cache_root=${cache_root}" "${mode_args[@]}") diff --git a/evolution/proposals/BEP-0009-release-infrastructure-and-store-upload-pipeline.md b/evolution/proposals/BEP-0009-release-infrastructure-and-store-upload-pipeline.md index e76b570..19686c0 100644 --- a/evolution/proposals/BEP-0009-release-infrastructure-and-store-upload-pipeline.md +++ b/evolution/proposals/BEP-0009-release-infrastructure-and-store-upload-pipeline.md @@ -47,6 +47,10 @@ The same change also makes the forge itself the release authority: release tags - `//bazel/apple:release_macos_stamp` These targets wrap the existing Xcode project and give the workflow one stable entrypoint that shares the same Bazel/Nix cache setup while Burrow decides whether deeper `rules_apple` targets are worth the migration. - Use Namespace cache setup before Bazel/Nix work. Prefer the Namespace Bazel remote cache when `nsc` is authenticated and fall back to a local disk/repository cache when remote setup is unavailable. + Cache setup is optional release acceleration: Bazel-only cache steps must not + install filesystem-cache helpers such as `spacectl`, and Namespace cache + probes must be timeout-bounded so Apple builds can continue without the + remote cache. - Produce unsigned Apple validation artifacts when signing is absent, but require signing for an App Store requested iOS release and for a Sparkle tester release. Uploadable artifacts are produced only after provisioning profiles can be synced from App Store Connect credentials and the relevant Apple certificate is proven to match the selected Google KMS key. - Resolve release credentials through age/agenix before signed Apple lanes run. Forgejo secrets should carry only the runner age identity fallback and the Authentik WIF client secret until OpenBao can mint the runner token directly. App Store Connect keys and signing certificates live as sealed files under `secrets/`. - Persist the forge runner SSH key as `/var/lib/forgejo-runner-agent/age_keystore` and export `BURROW_RUNNER_AGE_IDENTITY_PATH` so jobs can resolve agenix identities without embedding long-lived material in every workflow.