diff --git a/Scripts/ci/nscloud-cache.sh b/Scripts/ci/nscloud-cache.sh index cee2b25..1f9ce09 100755 --- a/Scripts/ci/nscloud-cache.sh +++ b/Scripts/ci/nscloud-cache.sh @@ -132,8 +132,14 @@ if [[ -z "$cache_root" ]]; then break fi done - elif ensure_dir "$PWD/.nscloud-cache"; then - cache_root="$PWD/.nscloud-cache" + else + tmp_root="${RUNNER_TEMP:-${TMPDIR:-/tmp}}/burrow-nscloud-cache" + for candidate in "$tmp_root" "$PWD/.nscloud-cache"; do + if ensure_dir "$candidate"; then + cache_root="$candidate" + break + fi + done fi fi diff --git a/evolution/proposals/BEP-0009-release-infrastructure-and-store-upload-pipeline.md b/evolution/proposals/BEP-0009-release-infrastructure-and-store-upload-pipeline.md index e3d0744..56847b2 100644 --- a/evolution/proposals/BEP-0009-release-infrastructure-and-store-upload-pipeline.md +++ b/evolution/proposals/BEP-0009-release-infrastructure-and-store-upload-pipeline.md @@ -65,6 +65,9 @@ The same change also makes the forge itself the release authority: release tags - The CI shell should prefer currently supported Node runtimes when nixpkgs marks an older major insecure. Release workers must fail on product build errors, not on avoidable toolchain end-of-life policy checks. +- Bazel repository and disk caches must live outside the checked-out repository + on macOS runners. Bazel 9 rejects a repository contents cache inside the main + repo because it can create spurious build graph failures. - Produce unsigned Apple validation artifacts when signing is absent, but require signing for an App Store requested iOS release and for a Sparkle tester release. Uploadable artifacts are produced only after provisioning profiles can be synced from App Store Connect credentials and the relevant Apple certificate is proven to match the selected Google KMS key. - Resolve release credentials through age/agenix before signed Apple lanes run. Forgejo secrets should carry only the runner age identity fallback and the Authentik WIF client secret until OpenBao can mint the runner token directly. App Store Connect keys and signing certificates live as sealed files under `secrets/`. - Persist the forge runner SSH key as `/var/lib/forgejo-runner-agent/age_keystore` and export `BURROW_RUNNER_AGE_IDENTITY_PATH` so jobs can resolve agenix identities without embedding long-lived material in every workflow.