Run Apple cache setup outside Nix shell
This commit is contained in:
parent
2da04bc317
commit
4a1ea9b471
2 changed files with 5 additions and 5 deletions
|
|
@ -179,8 +179,7 @@ jobs:
|
||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
NIX_BIN="$(bash Scripts/ci/resolve-nix-bin.sh)"
|
bash Scripts/ci/nscloud-cache.sh bazel
|
||||||
"$NIX_BIN" develop .#ci --command bash Scripts/ci/nscloud-cache.sh bazel
|
|
||||||
|
|
||||||
- name: Build Staged iOS Artifact
|
- name: Build Staged iOS Artifact
|
||||||
shell: bash
|
shell: bash
|
||||||
|
|
@ -274,8 +273,7 @@ jobs:
|
||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
NIX_BIN="$(bash Scripts/ci/resolve-nix-bin.sh)"
|
bash Scripts/ci/nscloud-cache.sh bazel
|
||||||
"$NIX_BIN" develop .#ci --command bash Scripts/ci/nscloud-cache.sh bazel
|
|
||||||
|
|
||||||
- name: Build Staged macOS Artifact
|
- name: Build Staged macOS Artifact
|
||||||
shell: bash
|
shell: bash
|
||||||
|
|
|
||||||
|
|
@ -50,7 +50,9 @@ The same change also makes the forge itself the release authority: release tags
|
||||||
Cache setup is optional release acceleration: Bazel-only cache steps must not
|
Cache setup is optional release acceleration: Bazel-only cache steps must not
|
||||||
install filesystem-cache helpers such as `spacectl`, and Namespace cache
|
install filesystem-cache helpers such as `spacectl`, and Namespace cache
|
||||||
probes must be timeout-bounded so Apple builds can continue without the
|
probes must be timeout-bounded so Apple builds can continue without the
|
||||||
remote cache.
|
remote cache. Apple workflows should call the fail-open cache helper directly
|
||||||
|
instead of entering the full Nix development shell just to decide whether a
|
||||||
|
cache is available.
|
||||||
- Produce unsigned Apple validation artifacts when signing is absent, but require signing for an App Store requested iOS release and for a Sparkle tester release. Uploadable artifacts are produced only after provisioning profiles can be synced from App Store Connect credentials and the relevant Apple certificate is proven to match the selected Google KMS key.
|
- Produce unsigned Apple validation artifacts when signing is absent, but require signing for an App Store requested iOS release and for a Sparkle tester release. Uploadable artifacts are produced only after provisioning profiles can be synced from App Store Connect credentials and the relevant Apple certificate is proven to match the selected Google KMS key.
|
||||||
- Resolve release credentials through age/agenix before signed Apple lanes run. Forgejo secrets should carry only the runner age identity fallback and the Authentik WIF client secret until OpenBao can mint the runner token directly. App Store Connect keys and signing certificates live as sealed files under `secrets/`.
|
- Resolve release credentials through age/agenix before signed Apple lanes run. Forgejo secrets should carry only the runner age identity fallback and the Authentik WIF client secret until OpenBao can mint the runner token directly. App Store Connect keys and signing certificates live as sealed files under `secrets/`.
|
||||||
- Persist the forge runner SSH key as `/var/lib/forgejo-runner-agent/age_keystore` and export `BURROW_RUNNER_AGE_IDENTITY_PATH` so jobs can resolve agenix identities without embedding long-lived material in every workflow.
|
- Persist the forge runner SSH key as `/var/lib/forgejo-runner-agent/age_keystore` and export `BURROW_RUNNER_AGE_IDENTITY_PATH` so jobs can resolve agenix identities without embedding long-lived material in every workflow.
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue