Move macOS Bazel cache outside checkout
This commit is contained in:
parent
8e95014840
commit
5150faad99
2 changed files with 11 additions and 2 deletions
|
|
@ -132,8 +132,14 @@ if [[ -z "$cache_root" ]]; then
|
||||||
break
|
break
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
elif ensure_dir "$PWD/.nscloud-cache"; then
|
else
|
||||||
cache_root="$PWD/.nscloud-cache"
|
tmp_root="${RUNNER_TEMP:-${TMPDIR:-/tmp}}/burrow-nscloud-cache"
|
||||||
|
for candidate in "$tmp_root" "$PWD/.nscloud-cache"; do
|
||||||
|
if ensure_dir "$candidate"; then
|
||||||
|
cache_root="$candidate"
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -65,6 +65,9 @@ The same change also makes the forge itself the release authority: release tags
|
||||||
- The CI shell should prefer currently supported Node runtimes when nixpkgs
|
- The CI shell should prefer currently supported Node runtimes when nixpkgs
|
||||||
marks an older major insecure. Release workers must fail on product build
|
marks an older major insecure. Release workers must fail on product build
|
||||||
errors, not on avoidable toolchain end-of-life policy checks.
|
errors, not on avoidable toolchain end-of-life policy checks.
|
||||||
|
- Bazel repository and disk caches must live outside the checked-out repository
|
||||||
|
on macOS runners. Bazel 9 rejects a repository contents cache inside the main
|
||||||
|
repo because it can create spurious build graph failures.
|
||||||
- Produce unsigned Apple validation artifacts when signing is absent, but require signing for an App Store requested iOS release and for a Sparkle tester release. Uploadable artifacts are produced only after provisioning profiles can be synced from App Store Connect credentials and the relevant Apple certificate is proven to match the selected Google KMS key.
|
- Produce unsigned Apple validation artifacts when signing is absent, but require signing for an App Store requested iOS release and for a Sparkle tester release. Uploadable artifacts are produced only after provisioning profiles can be synced from App Store Connect credentials and the relevant Apple certificate is proven to match the selected Google KMS key.
|
||||||
- Resolve release credentials through age/agenix before signed Apple lanes run. Forgejo secrets should carry only the runner age identity fallback and the Authentik WIF client secret until OpenBao can mint the runner token directly. App Store Connect keys and signing certificates live as sealed files under `secrets/`.
|
- Resolve release credentials through age/agenix before signed Apple lanes run. Forgejo secrets should carry only the runner age identity fallback and the Authentik WIF client secret until OpenBao can mint the runner token directly. App Store Connect keys and signing certificates live as sealed files under `secrets/`.
|
||||||
- Persist the forge runner SSH key as `/var/lib/forgejo-runner-agent/age_keystore` and export `BURROW_RUNNER_AGE_IDENTITY_PATH` so jobs can resolve agenix identities without embedding long-lived material in every workflow.
|
- Persist the forge runner SSH key as `/var/lib/forgejo-runner-agent/age_keystore` and export `BURROW_RUNNER_AGE_IDENTITY_PATH` so jobs can resolve agenix identities without embedding long-lived material in every workflow.
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue