Enable Bazel GCS remote cache for CI

.bazelrc

@@ -98,5 +98,5 @@ build --define=open_source_build=true
 
 common --@aspect_rules_ts//ts:skipLibCheck=always
 
-# CI-specific overrides (must be last to win over earlier flags like --disk_cache="")
-try-import %workspace%/.bazelrc.ci
+# Remote cache (activated in CI via .bazelrc.local)
+build:ci --experimental_circuit_breaker_strategy=failure

.github/actions/bazel-cache/action.yml

@@ -0,0 +1,109 @@
+name: 'Configure Bazel Cache'
+description: 'Set up GCS remote cache and optional disk cache for Bazel builds'
+
+inputs:
+  gcp_project_id:
+    description: 'GCP project ID'
+    required: true
+  workload_identity_provider:
+    description: 'Full workload identity provider resource name'
+    required: true
+  service_account:
+    description: 'GCP service account email'
+    required: true
+  cache_bucket:
+    description: 'GCS bucket name for remote cache'
+    required: true
+  cache_key:
+    description: 'Cache key prefix for disk cache via actions/cache. Omit to skip disk cache.'
+    required: false
+    default: ''
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Authenticate to Google Cloud
+      id: auth
+      continue-on-error: true
+      uses: google-github-actions/auth@v2
+      with:
+        project_id: ${{ inputs.gcp_project_id }}
+        workload_identity_provider: ${{ inputs.workload_identity_provider }}
+        service_account: ${{ inputs.service_account }}
+        token_format: 'access_token'
+
+    - name: Configure Bazel remote cache
+      shell: bash
+      env:
+        AUTH_OUTCOME: ${{ steps.auth.outcome }}
+        CACHE_BUCKET: ${{ inputs.cache_bucket }}
+        ACCESS_TOKEN: ${{ steps.auth.outputs.access_token }}
+        EVENT_NAME: ${{ github.event_name }}
+      run: |
+        # Always write config=ci for non-remote flags (circuit breaker, etc.)
+        echo "build --config=ci" >> .bazelrc.local
+
+        # Write cache config to a job-specific file. Bootstrapped projects
+        # (e.g. /tmp/valdi_app) import this via try-import in ~/.bazelrc,
+        # avoiding races when concurrent jobs share a runner.
+        CACHE_RC="/tmp/bazelrc-cache-${GITHUB_RUN_ID}-${GITHUB_JOB}"
+        > "$CACHE_RC"
+        echo "BAZEL_CACHE_RC=$CACHE_RC" >> "$GITHUB_ENV"
+
+        if [ "$AUTH_OUTCOME" != "success" ]; then
+          echo "Auth skipped (expected for fork PRs). Building without remote cache."
+          exit 0
+        fi
+
+        # Checkout directory config
+        echo "build --remote_cache=https://storage.googleapis.com/$CACHE_BUCKET" >> .bazelrc.local
+        echo "build \"--remote_header=Authorization=Bearer $ACCESS_TOKEN\"" >> .bazelrc.local
+        # Only upload cache results on push (trusted) events, not pull requests
+        if [ "$EVENT_NAME" = "push" ] || [ "$EVENT_NAME" = "workflow_dispatch" ] || [ "$EVENT_NAME" = "release" ]; then
+          echo "build --remote_upload_local_results=true" >> .bazelrc.local
+        else
+          echo "build --remote_upload_local_results=false" >> .bazelrc.local
+        fi
+
+        # Point ~/.bazelrc to the job-specific file via try-import.
+        # Single atomic write — no truncation window for concurrent jobs.
+        echo "try-import $CACHE_RC" > ~/.bazelrc
+
+        # Cache config for bootstrapped projects (discovered via try-import above)
+        echo "build --remote_cache=https://storage.googleapis.com/$CACHE_BUCKET" >> "$CACHE_RC"
+        echo "build \"--remote_header=Authorization=Bearer $ACCESS_TOKEN\"" >> "$CACHE_RC"
+        echo "build --experimental_circuit_breaker_strategy=failure" >> "$CACHE_RC"
+        if [ "$EVENT_NAME" = "push" ] || [ "$EVENT_NAME" = "workflow_dispatch" ] || [ "$EVENT_NAME" = "release" ]; then
+          echo "build --remote_upload_local_results=true" >> "$CACHE_RC"
+        else
+          echo "build --remote_upload_local_results=false" >> "$CACHE_RC"
+        fi
+
+    - name: Prune and configure disk cache
+      if: inputs.cache_key != ''
+      shell: bash
+      run: |
+        # Prune old cache files to prevent unbounded growth on persistent runners
+        find "$HOME/.cache/bazel/disk" -type f -atime +7 -delete 2>/dev/null || true
+        find "$HOME/.cache/bazel/repo" -type f -atime +7 -delete 2>/dev/null || true
+
+        echo "build:ci --disk_cache=$HOME/.cache/bazel/disk" >> .bazelrc.local
+        echo "build:ci --repository_cache=$HOME/.cache/bazel/repo" >> .bazelrc.local
+        if [ -n "$BAZEL_CACHE_RC" ]; then
+          echo "build --disk_cache=$HOME/.cache/bazel/disk" >> "$BAZEL_CACHE_RC"
+          echo "build --repository_cache=$HOME/.cache/bazel/repo" >> "$BAZEL_CACHE_RC"
+        fi
+
+    - name: Mount Bazel cache
+      if: inputs.cache_key != '' && runner.environment == 'github-hosted'
+      uses: actions/cache@v4
+      continue-on-error: true
+      with:
+        path: |
+          ~/.cache/bazel/disk
+          ~/.cache/bazel/repo
+          ~/.cache/bazelisk
+        key: bazel-${{ runner.os }}-${{ inputs.cache_key }}-${{ hashFiles('MODULE.bazel', '**/*.bzl') }}-${{ github.run_id }}
+        restore-keys: |
+          bazel-${{ runner.os }}-${{ inputs.cache_key }}-${{ hashFiles('MODULE.bazel', '**/*.bzl') }}-
+          bazel-${{ runner.os }}-${{ inputs.cache_key }}-

.github/workflows/bzl-changes.yml

@@ -44,6 +44,13 @@ on:
       - 'apps/snapshot_tests/**'
       - 'snap_drawing/**'
 
+# Workflow-level permissions: id-token: write needed for GCP WIF auth on push events.
+# For fork PRs, GitHub automatically downgrades to read-only — the auth step
+# has continue-on-error so builds proceed without remote cache.
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   smoke-test:
     name: Valdi Smoke Tests
@@ -55,6 +62,15 @@ jobs:
         with:
           lfs: true
 
+      - name: Configure Bazel cache
+        uses: ./.github/actions/bazel-cache
+        with:
+          gcp_project_id: ${{ vars.GCP_PROJECT_ID }}
+          workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
+          cache_bucket: ${{ vars.BAZEL_CACHE_BUCKET }}
+          cache_key: smoke-test
+
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
@@ -123,32 +139,18 @@ jobs:
           distribution: 'zulu'
           java-version: '17'
 
+      - name: Configure Bazel cache
+        uses: ./.github/actions/bazel-cache
+        with:
+          gcp_project_id: ${{ vars.GCP_PROJECT_ID }}
+          workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
+          cache_bucket: ${{ vars.BAZEL_CACHE_BUCKET }}
+          cache_key: ${{ matrix.task }}
+
       - name: Setup Linux environment
         run: source ./tools/ci/setup_linux_env.sh
 
-      - name: Mount Bazel cache
-        uses: actions/cache@v4
-        timeout-minutes: 5
-        continue-on-error: true
-        with:
-          path: |
-            ~/.cache/bazel/disk
-            ~/.cache/bazel/repo
-            ~/.cache/bazelisk
-          key: bazel-${{ runner.os }}-${{ matrix.task }}-${{ hashFiles('MODULE.bazel', '**/*.bzl') }}-${{ github.run_id }}
-          restore-keys: |
-            bazel-${{ runner.os }}-${{ matrix.task }}-${{ hashFiles('MODULE.bazel', '**/*.bzl') }}-
-            bazel-${{ runner.os }}-${{ matrix.task }}-
-
-      - name: Configure Bazel CI cache
-        run: |
-          # Write to .bazelrc.ci which is imported LAST in .bazelrc, so these
-          # flags override the default --disk_cache="" for developer machines.
-          # Previously written to .bazelrc.local which is imported at the TOP
-          # of .bazelrc — the later --disk_cache="" silently overrode it.
-          echo "build --disk_cache=$HOME/.cache/bazel/disk" >> .bazelrc.ci
-          echo "build --repository_cache=$HOME/.cache/bazel/repo" >> .bazelrc.ci
-
       - name: Setup environment and install Valdi CLI
         if: matrix.task == 'build-export'
         run: |
@@ -185,6 +187,15 @@ jobs:
         with:
           lfs: true
 
+      - name: Configure Bazel cache
+        uses: ./.github/actions/bazel-cache
+        with:
+          gcp_project_id: ${{ vars.GCP_PROJECT_ID }}
+          workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
+          cache_bucket: ${{ vars.BAZEL_CACHE_BUCKET }}
+          cache_key: snapshot-tests
+
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
@@ -218,8 +229,9 @@ jobs:
     if: always()
     uses: ./.github/workflows/comment-test-results.yml
     permissions:
+      contents: read
       pull-requests: write
     with:
       workflow_name: "Bazel & CI Test Results"
       success_message: "**All Bazel configuration and CI tests passed!** ✨\n\nThe build system and core tooling are working correctly."
-      additional_info: "🚀 _Bazel disk cache is enabled - builds with warm cache will be faster!_"
+      additional_info: "🚀 _Bazel remote cache is now enabled - future builds will be faster!_"

.github/workflows/publish-npm.yml

@@ -9,6 +9,10 @@ on:
       - 'npm_modules/*/package.json'
   workflow_dispatch:
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   detect-changes:
     runs-on: ubuntu-latest
@@ -80,6 +84,14 @@ jobs:
         with:
           lfs: true
 
+      - name: Configure Bazel cache
+        uses: ./.github/actions/bazel-cache
+        with:
+          gcp_project_id: ${{ vars.GCP_PROJECT_ID }}
+          workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
+          cache_bucket: ${{ vars.BAZEL_CACHE_BUCKET }}
+
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:

.github/workflows/release-test.yml

@@ -18,6 +18,10 @@ on:
       - 'tools/ci/release_test.sh'
       - '.github/workflows/release-test.yml'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   release-test:
     name: Bootstrap from main (bleeding edge), build & test
@@ -29,6 +33,14 @@ jobs:
         with:
           lfs: true
 
+      - name: Configure Bazel cache
+        uses: ./.github/actions/bazel-cache
+        with:
+          gcp_project_id: ${{ vars.GCP_PROJECT_ID }}
+          workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
+          cache_bucket: ${{ vars.BAZEL_CACHE_BUCKET }}
+
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:

compiler/companion/remotedebug-ios-webkit-adapter/BUILD.bazel

@@ -38,12 +38,10 @@ ts_project(
     deps = [
         ":node_modules/@types/debug",
         ":node_modules/@types/express",
-        ":node_modules/@types/istanbul-lib-coverage",
         ":node_modules/@types/optimist",
         ":node_modules/@types/request",
         ":node_modules/@types/which",
         ":node_modules/@types/ws",
-        ":node_modules/gulp-typescript",
         ":node_modules/optimist",
     ],
 )

compiler/companion/remotedebug-ios-webkit-adapter/tsconfig.json

@@ -6,7 +6,8 @@
     "composite": true,
     "declaration": true,
     "outDir": "src",
-    "rootDir": "src"
+    "rootDir": "src",
+    "types": []
   },
   "include": ["src/**/*.ts", "package.json"],
   "exclude": ["src/**/*.json", "node_modules"]