diff --git a/.bazelrc b/.bazelrc index 9a05b656..6496413e 100644 --- a/.bazelrc +++ b/.bazelrc @@ -98,5 +98,5 @@ build --define=open_source_build=true common --@aspect_rules_ts//ts:skipLibCheck=always -# CI-specific overrides (must be last to win over earlier flags like --disk_cache="") -try-import %workspace%/.bazelrc.ci +# Remote cache (activated in CI via .bazelrc.local) +build:ci --experimental_circuit_breaker_strategy=failure diff --git a/.github/actions/bazel-cache/action.yml b/.github/actions/bazel-cache/action.yml new file mode 100644 index 00000000..fe2f4db1 --- /dev/null +++ b/.github/actions/bazel-cache/action.yml @@ -0,0 +1,109 @@ +name: 'Configure Bazel Cache' +description: 'Set up GCS remote cache and optional disk cache for Bazel builds' + +inputs: + gcp_project_id: + description: 'GCP project ID' + required: true + workload_identity_provider: + description: 'Full workload identity provider resource name' + required: true + service_account: + description: 'GCP service account email' + required: true + cache_bucket: + description: 'GCS bucket name for remote cache' + required: true + cache_key: + description: 'Cache key prefix for disk cache via actions/cache. Omit to skip disk cache.' + required: false + default: '' + +runs: + using: 'composite' + steps: + - name: Authenticate to Google Cloud + id: auth + continue-on-error: true + uses: google-github-actions/auth@v2 + with: + project_id: ${{ inputs.gcp_project_id }} + workload_identity_provider: ${{ inputs.workload_identity_provider }} + service_account: ${{ inputs.service_account }} + token_format: 'access_token' + + - name: Configure Bazel remote cache + shell: bash + env: + AUTH_OUTCOME: ${{ steps.auth.outcome }} + CACHE_BUCKET: ${{ inputs.cache_bucket }} + ACCESS_TOKEN: ${{ steps.auth.outputs.access_token }} + EVENT_NAME: ${{ github.event_name }} + run: | + # Always write config=ci for non-remote flags (circuit breaker, etc.) + echo "build --config=ci" >> .bazelrc.local + + # Write cache config to a job-specific file. Bootstrapped projects + # (e.g. /tmp/valdi_app) import this via try-import in ~/.bazelrc, + # avoiding races when concurrent jobs share a runner. + CACHE_RC="/tmp/bazelrc-cache-${GITHUB_RUN_ID}-${GITHUB_JOB}" + > "$CACHE_RC" + echo "BAZEL_CACHE_RC=$CACHE_RC" >> "$GITHUB_ENV" + + if [ "$AUTH_OUTCOME" != "success" ]; then + echo "Auth skipped (expected for fork PRs). Building without remote cache." + exit 0 + fi + + # Checkout directory config + echo "build --remote_cache=https://storage.googleapis.com/$CACHE_BUCKET" >> .bazelrc.local + echo "build \"--remote_header=Authorization=Bearer $ACCESS_TOKEN\"" >> .bazelrc.local + # Only upload cache results on push (trusted) events, not pull requests + if [ "$EVENT_NAME" = "push" ] || [ "$EVENT_NAME" = "workflow_dispatch" ] || [ "$EVENT_NAME" = "release" ]; then + echo "build --remote_upload_local_results=true" >> .bazelrc.local + else + echo "build --remote_upload_local_results=false" >> .bazelrc.local + fi + + # Point ~/.bazelrc to the job-specific file via try-import. + # Single atomic write — no truncation window for concurrent jobs. + echo "try-import $CACHE_RC" > ~/.bazelrc + + # Cache config for bootstrapped projects (discovered via try-import above) + echo "build --remote_cache=https://storage.googleapis.com/$CACHE_BUCKET" >> "$CACHE_RC" + echo "build \"--remote_header=Authorization=Bearer $ACCESS_TOKEN\"" >> "$CACHE_RC" + echo "build --experimental_circuit_breaker_strategy=failure" >> "$CACHE_RC" + if [ "$EVENT_NAME" = "push" ] || [ "$EVENT_NAME" = "workflow_dispatch" ] || [ "$EVENT_NAME" = "release" ]; then + echo "build --remote_upload_local_results=true" >> "$CACHE_RC" + else + echo "build --remote_upload_local_results=false" >> "$CACHE_RC" + fi + + - name: Prune and configure disk cache + if: inputs.cache_key != '' + shell: bash + run: | + # Prune old cache files to prevent unbounded growth on persistent runners + find "$HOME/.cache/bazel/disk" -type f -atime +7 -delete 2>/dev/null || true + find "$HOME/.cache/bazel/repo" -type f -atime +7 -delete 2>/dev/null || true + + echo "build:ci --disk_cache=$HOME/.cache/bazel/disk" >> .bazelrc.local + echo "build:ci --repository_cache=$HOME/.cache/bazel/repo" >> .bazelrc.local + if [ -n "$BAZEL_CACHE_RC" ]; then + echo "build --disk_cache=$HOME/.cache/bazel/disk" >> "$BAZEL_CACHE_RC" + echo "build --repository_cache=$HOME/.cache/bazel/repo" >> "$BAZEL_CACHE_RC" + fi + + - name: Mount Bazel cache + if: inputs.cache_key != '' && runner.environment == 'github-hosted' + uses: actions/cache@v4 + continue-on-error: true + with: + path: | + ~/.cache/bazel/disk + ~/.cache/bazel/repo + ~/.cache/bazelisk + key: bazel-${{ runner.os }}-${{ inputs.cache_key }}-${{ hashFiles('MODULE.bazel', '**/*.bzl') }}-${{ github.run_id }} + restore-keys: | + bazel-${{ runner.os }}-${{ inputs.cache_key }}-${{ hashFiles('MODULE.bazel', '**/*.bzl') }}- + bazel-${{ runner.os }}-${{ inputs.cache_key }}- diff --git a/.github/workflows/bzl-changes.yml b/.github/workflows/bzl-changes.yml index 1e544596..aabc4513 100644 --- a/.github/workflows/bzl-changes.yml +++ b/.github/workflows/bzl-changes.yml @@ -44,6 +44,13 @@ on: - 'apps/snapshot_tests/**' - 'snap_drawing/**' +# Workflow-level permissions: id-token: write needed for GCP WIF auth on push events. +# For fork PRs, GitHub automatically downgrades to read-only — the auth step +# has continue-on-error so builds proceed without remote cache. +permissions: + contents: read + id-token: write + jobs: smoke-test: name: Valdi Smoke Tests @@ -55,6 +62,15 @@ jobs: with: lfs: true + - name: Configure Bazel cache + uses: ./.github/actions/bazel-cache + with: + gcp_project_id: ${{ vars.GCP_PROJECT_ID }} + workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }} + service_account: ${{ vars.GCP_SERVICE_ACCOUNT }} + cache_bucket: ${{ vars.BAZEL_CACHE_BUCKET }} + cache_key: smoke-test + - name: Setup Node.js uses: actions/setup-node@v4 with: @@ -123,32 +139,18 @@ jobs: distribution: 'zulu' java-version: '17' + - name: Configure Bazel cache + uses: ./.github/actions/bazel-cache + with: + gcp_project_id: ${{ vars.GCP_PROJECT_ID }} + workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }} + service_account: ${{ vars.GCP_SERVICE_ACCOUNT }} + cache_bucket: ${{ vars.BAZEL_CACHE_BUCKET }} + cache_key: ${{ matrix.task }} + - name: Setup Linux environment run: source ./tools/ci/setup_linux_env.sh - - name: Mount Bazel cache - uses: actions/cache@v4 - timeout-minutes: 5 - continue-on-error: true - with: - path: | - ~/.cache/bazel/disk - ~/.cache/bazel/repo - ~/.cache/bazelisk - key: bazel-${{ runner.os }}-${{ matrix.task }}-${{ hashFiles('MODULE.bazel', '**/*.bzl') }}-${{ github.run_id }} - restore-keys: | - bazel-${{ runner.os }}-${{ matrix.task }}-${{ hashFiles('MODULE.bazel', '**/*.bzl') }}- - bazel-${{ runner.os }}-${{ matrix.task }}- - - - name: Configure Bazel CI cache - run: | - # Write to .bazelrc.ci which is imported LAST in .bazelrc, so these - # flags override the default --disk_cache="" for developer machines. - # Previously written to .bazelrc.local which is imported at the TOP - # of .bazelrc — the later --disk_cache="" silently overrode it. - echo "build --disk_cache=$HOME/.cache/bazel/disk" >> .bazelrc.ci - echo "build --repository_cache=$HOME/.cache/bazel/repo" >> .bazelrc.ci - - name: Setup environment and install Valdi CLI if: matrix.task == 'build-export' run: | @@ -185,6 +187,15 @@ jobs: with: lfs: true + - name: Configure Bazel cache + uses: ./.github/actions/bazel-cache + with: + gcp_project_id: ${{ vars.GCP_PROJECT_ID }} + workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }} + service_account: ${{ vars.GCP_SERVICE_ACCOUNT }} + cache_bucket: ${{ vars.BAZEL_CACHE_BUCKET }} + cache_key: snapshot-tests + - name: Setup Node.js uses: actions/setup-node@v4 with: @@ -218,8 +229,9 @@ jobs: if: always() uses: ./.github/workflows/comment-test-results.yml permissions: + contents: read pull-requests: write with: workflow_name: "Bazel & CI Test Results" success_message: "**All Bazel configuration and CI tests passed!** ✨\n\nThe build system and core tooling are working correctly." - additional_info: "🚀 _Bazel disk cache is enabled - builds with warm cache will be faster!_" + additional_info: "🚀 _Bazel remote cache is now enabled - future builds will be faster!_" diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml index 3c65d3aa..e82b99e3 100644 --- a/.github/workflows/publish-npm.yml +++ b/.github/workflows/publish-npm.yml @@ -9,6 +9,10 @@ on: - 'npm_modules/*/package.json' workflow_dispatch: +permissions: + contents: read + id-token: write + jobs: detect-changes: runs-on: ubuntu-latest @@ -80,6 +84,14 @@ jobs: with: lfs: true + - name: Configure Bazel cache + uses: ./.github/actions/bazel-cache + with: + gcp_project_id: ${{ vars.GCP_PROJECT_ID }} + workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }} + service_account: ${{ vars.GCP_SERVICE_ACCOUNT }} + cache_bucket: ${{ vars.BAZEL_CACHE_BUCKET }} + - name: Setup Node.js uses: actions/setup-node@v4 with: diff --git a/.github/workflows/release-test.yml b/.github/workflows/release-test.yml index 40f9821e..1a847cdb 100644 --- a/.github/workflows/release-test.yml +++ b/.github/workflows/release-test.yml @@ -18,6 +18,10 @@ on: - 'tools/ci/release_test.sh' - '.github/workflows/release-test.yml' +permissions: + contents: read + id-token: write + jobs: release-test: name: Bootstrap from main (bleeding edge), build & test @@ -29,6 +33,14 @@ jobs: with: lfs: true + - name: Configure Bazel cache + uses: ./.github/actions/bazel-cache + with: + gcp_project_id: ${{ vars.GCP_PROJECT_ID }} + workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }} + service_account: ${{ vars.GCP_SERVICE_ACCOUNT }} + cache_bucket: ${{ vars.BAZEL_CACHE_BUCKET }} + - name: Setup Node.js uses: actions/setup-node@v4 with: diff --git a/compiler/companion/remotedebug-ios-webkit-adapter/BUILD.bazel b/compiler/companion/remotedebug-ios-webkit-adapter/BUILD.bazel index a7aaf3c0..d774340b 100644 --- a/compiler/companion/remotedebug-ios-webkit-adapter/BUILD.bazel +++ b/compiler/companion/remotedebug-ios-webkit-adapter/BUILD.bazel @@ -38,12 +38,10 @@ ts_project( deps = [ ":node_modules/@types/debug", ":node_modules/@types/express", - ":node_modules/@types/istanbul-lib-coverage", ":node_modules/@types/optimist", ":node_modules/@types/request", ":node_modules/@types/which", ":node_modules/@types/ws", - ":node_modules/gulp-typescript", ":node_modules/optimist", ], ) diff --git a/compiler/companion/remotedebug-ios-webkit-adapter/tsconfig.json b/compiler/companion/remotedebug-ios-webkit-adapter/tsconfig.json index 7f1f733e..1fc9104a 100644 --- a/compiler/companion/remotedebug-ios-webkit-adapter/tsconfig.json +++ b/compiler/companion/remotedebug-ios-webkit-adapter/tsconfig.json @@ -6,7 +6,8 @@ "composite": true, "declaration": true, "outDir": "src", - "rootDir": "src" + "rootDir": "src", + "types": [] }, "include": ["src/**/*.ts", "package.json"], "exclude": ["src/**/*.json", "node_modules"]