Upload gyp packages to S3 after building

After building native module packages (bcrypt, cld, unix-dgram, @datadog/pprof),
upload them to s3://asana-oss-cache/node-gyp/v1/ in addition to the GitHub Release.

This enables codez to fetch these packages via Bazel http_file instead of
committing ~112 MB of tarballs to git, saving ~305 MB total per checkout
(node18/node20 tarballs are dead code and will be deleted).

Changes:
- build-node-packages.yml: Add AWS OIDC auth + S3 upload step after release upload
- stage_for_s3.bash: Separate packages_*.tar.gz before fibers loop to prevent
  them from being incorrectly mixed into the fibers archive

Requires IAM role `push_node_gyp_packages` to be provisioned first
(Asana/codez PR #388637).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: harshita-gupta

.github/workflows/build-node-packages.yml

@@ -12,14 +12,19 @@ on:
 jobs:
   build-packages:
     if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }}
+    permissions:
+      id-token: write
+      contents: write
     strategy:
       matrix:
         include:
           - platform: linux
             arch: x64
+            bazel_arch: amd64
             runs_on: ubuntu-22.04
           - platform: linux
             arch: arm64
+            bazel_arch: arm64
             runs_on: ubuntu-22.04-arm
     runs-on: ${{ matrix.runs_on }}
 
@@ -75,3 +80,22 @@ jobs:
           files: packages_${{matrix.arch}}.tar.gz
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-east-1
+          role-to-assume: arn:aws:iam::403483446840:role/autogen_github_actions_beta_push_node_gyp_packages
+
+      - name: Upload packages to S3
+        run: |
+          NODE_MAJOR=$(echo "${{ env.NODE_VERSION }}" | sed 's/^v//' | cut -d. -f1)
+          S3_KEY="node-gyp/v1/packages_${{ matrix.bazel_arch }}_node${NODE_MAJOR}.tar.gz"
+          echo "Uploading packages_${{ matrix.arch }}.tar.gz to s3://asana-oss-cache/${S3_KEY}"
+          aws s3 cp "packages_${{ matrix.arch }}.tar.gz" "s3://asana-oss-cache/${S3_KEY}" --acl public-read
+          echo "SHA256: $(sha256sum packages_${{ matrix.arch }}.tar.gz | awk '{print $1}')"
+          echo ""
+          echo "Update tools_repositories.bzl with:"
+          echo "  name = \"node_gyp_packages_${{ matrix.bazel_arch }}_node${NODE_MAJOR}\","
+          echo "  urls = [\"https://asana-oss-cache.s3.us-east-1.amazonaws.com/${S3_KEY}\"],"
+          echo "  sha256 = \"$(sha256sum packages_${{ matrix.arch }}.tar.gz | awk '{print $1}')\","

stage_for_s3.bash

@@ -10,6 +10,21 @@ echo "Current timestamp is $TIMESTAMP"
 gh release download -p "*.gz"
 gh release download -p "*.xz"
 
+# Separate packages tarballs — these are uploaded to S3 by the build-node-packages.yml
+# workflow and consumed by Bazel via http_file in codez. They should NOT be mixed into
+# the fibers archive.
+echo ""
+echo "=== Native packages (node-gyp) ==="
+echo "These are uploaded to s3://asana-oss-cache/node-gyp/ by the build-node-packages.yml workflow."
+for pkg in packages_*.tar.gz; do
+  if [ -f "$pkg" ]; then
+    echo "  $pkg: sha256=$(sha256sum "$pkg" | awk '{print $1}')"
+    rm "$pkg"
+  fi
+done
+echo "No manual action needed for packages — they are already in S3."
+echo ""
+
 curl "https://asana-oss-cache.s3.us-east-1.amazonaws.com/node-fibers/fibers-5.0.4.pc.tgz"  --output fibers-5.0.4.tar.gz
 tar -xzf fibers-5.0.4.tar.gz