Move macOS Bazel cache outside checkout
Some checks failed
Build: Android / Android Rust Core Stub (push) Failing after 22s
Build Site / Next.js Build (push) Waiting to run
Lint Governance / BEP Metadata (push) Waiting to run
Build Rust / Cargo Test (push) Has been cancelled

This commit is contained in:
Conrad Kramer 2026-06-07 10:34:44 -07:00
parent 8e95014840
commit 5150faad99
2 changed files with 11 additions and 2 deletions

View file

@ -132,8 +132,14 @@ if [[ -z "$cache_root" ]]; then
break break
fi fi
done done
elif ensure_dir "$PWD/.nscloud-cache"; then else
cache_root="$PWD/.nscloud-cache" tmp_root="${RUNNER_TEMP:-${TMPDIR:-/tmp}}/burrow-nscloud-cache"
for candidate in "$tmp_root" "$PWD/.nscloud-cache"; do
if ensure_dir "$candidate"; then
cache_root="$candidate"
break
fi
done
fi fi
fi fi

View file

@ -65,6 +65,9 @@ The same change also makes the forge itself the release authority: release tags
- The CI shell should prefer currently supported Node runtimes when nixpkgs - The CI shell should prefer currently supported Node runtimes when nixpkgs
marks an older major insecure. Release workers must fail on product build marks an older major insecure. Release workers must fail on product build
errors, not on avoidable toolchain end-of-life policy checks. errors, not on avoidable toolchain end-of-life policy checks.
- Bazel repository and disk caches must live outside the checked-out repository
on macOS runners. Bazel 9 rejects a repository contents cache inside the main
repo because it can create spurious build graph failures.
- Produce unsigned Apple validation artifacts when signing is absent, but require signing for an App Store requested iOS release and for a Sparkle tester release. Uploadable artifacts are produced only after provisioning profiles can be synced from App Store Connect credentials and the relevant Apple certificate is proven to match the selected Google KMS key. - Produce unsigned Apple validation artifacts when signing is absent, but require signing for an App Store requested iOS release and for a Sparkle tester release. Uploadable artifacts are produced only after provisioning profiles can be synced from App Store Connect credentials and the relevant Apple certificate is proven to match the selected Google KMS key.
- Resolve release credentials through age/agenix before signed Apple lanes run. Forgejo secrets should carry only the runner age identity fallback and the Authentik WIF client secret until OpenBao can mint the runner token directly. App Store Connect keys and signing certificates live as sealed files under `secrets/`. - Resolve release credentials through age/agenix before signed Apple lanes run. Forgejo secrets should carry only the runner age identity fallback and the Authentik WIF client secret until OpenBao can mint the runner token directly. App Store Connect keys and signing certificates live as sealed files under `secrets/`.
- Persist the forge runner SSH key as `/var/lib/forgejo-runner-agent/age_keystore` and export `BURROW_RUNNER_AGE_IDENTITY_PATH` so jobs can resolve agenix identities without embedding long-lived material in every workflow. - Persist the forge runner SSH key as `/var/lib/forgejo-runner-agent/age_keystore` and export `BURROW_RUNNER_AGE_IDENTITY_PATH` so jobs can resolve agenix identities without embedding long-lived material in every workflow.