Make Namespace cache setup fail open
Some checks failed
Build: Android / Android Rust Core Stub (push) Failing after 22s
Build Rust / Cargo Test (push) Successful in 4m3s
Build Site / Next.js Build (push) Failing after 5s
Lint Governance / BEP Metadata (push) Successful in 1s

This commit is contained in:
Conrad Kramer 2026-06-07 09:51:35 -07:00
parent dba641035b
commit 2da04bc317
2 changed files with 29 additions and 13 deletions

View file

@ -19,6 +19,16 @@ portable_mkdir() {
command -p mkdir "$@"
}
optional_timeout() {
local duration="$1"
shift
if command -v timeout >/dev/null 2>&1; then
timeout "$duration" "$@"
else
"$@"
fi
}
append_bazel_storage_cache() {
local bazelrc_path="$1"
local cache_root="${BURROW_BAZEL_STORAGE_CACHE:-}"
@ -61,7 +71,9 @@ configure_bazel_remote_cache() {
local bazelrc_path
bazelrc_path="${NSC_BAZELRC_PATH:-${TMPDIR:-/tmp}/burrow-nsc-cache.bazelrc}"
portable_mkdir -p "$(dirname "$bazelrc_path")"
if nsc auth check-login >/dev/null 2>&1 && nsc cache bazel setup --bazelrc "$bazelrc_path" >/dev/null 2>&1; then
local probe_timeout="${BURROW_NSC_CACHE_PROBE_TIMEOUT:-30s}"
if optional_timeout "$probe_timeout" nsc auth check-login >/dev/null 2>&1 &&
optional_timeout "$probe_timeout" nsc cache bazel setup --bazelrc "$bazelrc_path" >/dev/null 2>&1; then
append_bazel_storage_cache "$bazelrc_path"
export BURROW_BAZEL_NSCCACHE_BAZELRC="$bazelrc_path"
export BURROW_BAZEL_NSCCACHE_ACTIVE=1
@ -122,18 +134,6 @@ if [[ -n "${GITHUB_ENV:-}" ]]; then
echo "NSC_CACHE_PATH=$cache_root" >> "$GITHUB_ENV"
fi
spacectl_bin_dir="${RUNNER_TEMP:-${TMPDIR:-/tmp}}/spacectl-bin"
if ! command -v spacectl >/dev/null 2>&1; then
if ! bash Scripts/ci/ensure-spacectl.sh; then
echo "::warning ::Unable to install spacectl; skipping filesystem cache mount."
configure_bazel_remote_cache
exit 0
fi
if [[ -x "${spacectl_bin_dir}/spacectl" ]]; then
export PATH="${spacectl_bin_dir}:$PATH"
fi
fi
mode_args=()
for mode in "$@"; do
[[ -z "$mode" ]] && continue
@ -157,6 +157,18 @@ if [[ "${#mode_args[@]}" -eq 0 ]]; then
exit 0
fi
spacectl_bin_dir="${RUNNER_TEMP:-${TMPDIR:-/tmp}}/spacectl-bin"
if ! command -v spacectl >/dev/null 2>&1; then
if ! bash Scripts/ci/ensure-spacectl.sh; then
echo "::warning ::Unable to install spacectl; skipping filesystem cache mount."
configure_bazel_remote_cache
exit 0
fi
if [[ -x "${spacectl_bin_dir}/spacectl" ]]; then
export PATH="${spacectl_bin_dir}:$PATH"
fi
fi
portable_mkdir -p "$cache_root" 2>/dev/null || true
args=(-o json cache mount "--dry_run=false" "--cache_root=${cache_root}" "${mode_args[@]}")

View file

@ -47,6 +47,10 @@ The same change also makes the forge itself the release authority: release tags
- `//bazel/apple:release_macos_stamp`
These targets wrap the existing Xcode project and give the workflow one stable entrypoint that shares the same Bazel/Nix cache setup while Burrow decides whether deeper `rules_apple` targets are worth the migration.
- Use Namespace cache setup before Bazel/Nix work. Prefer the Namespace Bazel remote cache when `nsc` is authenticated and fall back to a local disk/repository cache when remote setup is unavailable.
Cache setup is optional release acceleration: Bazel-only cache steps must not
install filesystem-cache helpers such as `spacectl`, and Namespace cache
probes must be timeout-bounded so Apple builds can continue without the
remote cache.
- Produce unsigned Apple validation artifacts when signing is absent, but require signing for an App Store requested iOS release and for a Sparkle tester release. Uploadable artifacts are produced only after provisioning profiles can be synced from App Store Connect credentials and the relevant Apple certificate is proven to match the selected Google KMS key.
- Resolve release credentials through age/agenix before signed Apple lanes run. Forgejo secrets should carry only the runner age identity fallback and the Authentik WIF client secret until OpenBao can mint the runner token directly. App Store Connect keys and signing certificates live as sealed files under `secrets/`.
- Persist the forge runner SSH key as `/var/lib/forgejo-runner-agent/age_keystore` and export `BURROW_RUNNER_AGE_IDENTITY_PATH` so jobs can resolve agenix identities without embedding long-lived material in every workflow.