ci(INFRA-3597): Phase 5 — Namespace APK fingerprint cache and artifact validation (#29886)

bsgrigorov · alucardzom · cursoragent · web-flow · commit 0bfd75534752 · 2026-05-14T13:43:21.000Z
## **Description** INFRA-3597 Phase 5 — Cache and Artifact Architecture for Namespace runner migration. Replaces fragile caches without changing build-output contracts, covering all cache families across Android and iOS builds and E2E tests. **Changes:** ### Android Cache Architecture - **Gradle local cache**: `cache: gradle` + `cache: maven` via `nscloud-cache-action` in `build-android-e2e.yml` and `run-e2e-workflow.yml` - **Gradle remote build cache**: `nsc cache gradle setup` with branch-based write policy (`--push=false` for PR/fork branches) - **APK fingerprint cache**: Marker-based at `$GRADLE_USER_HOME/apk-cache/` — cache hit skips full build - **Yarn + .metamask + node_modules**: Cached via `nscloud-cache-action` in all relevant workflows - **E2E shards**: Share the `metamask-android-build` cache volume (single tag per Namespace recommendation for best convergence) ### iOS Cache Architecture - **CocoaPods**: `cache: cocoapods` in `build-ios-e2e.yml` and `run-e2e-workflow.yml` - **Xcode/DerivedData**: `cache: xcode` in `build-ios-e2e.yml` (replaces `cirruslabs/cache` on Namespace) - **Detox framework cache**: `~/Library/Detox` path in iOS E2E `nscloud-cache-action` - **macOS symlink limitation**: `node_modules`, `ios/vendor/bundle`, `~/.cocoapods/repos` excluded from explicit cache paths — on macOS `nscloud-cache-action` uses symlinks which break Xcode ScanDependencies and Ruby/Bundler require chains ### Cache Write Policy - Gradle remote build cache: only `main`, `release/*`, `stable/*` can push (`--push=true`); PR/fork branches read-only (`--push=false`) - Cache volumes (nscloud-cache-action): read+write for all branches per Namespace recommendation (convergence model benefits from all jobs contributing cache generations) ### Infrastructure Fixes - Skip overlapping `actions/cache` steps in `setup-e2e-env` when `runner_provider == 'namespace'` (Android system image, Yarn, Bundler, CocoaPods specs) - Remove `/opt/android-sdk/system-images/...` from `nscloud-cache-action` paths (pre-baked in Dockerfile base image, permission denied on bind-mount) - Cap Jest `--maxWorkers=50%` on Namespace unit shards to reduce OOM SIGKILL risk ### Rollback Safety - All Namespace-specific logic gated on `inputs.runner_provider == 'namespace'` - `runner_provider=current` path unchanged and validated ## **Acceptance Criteria Status** | # | Criterion | Status | |---|-----------|--------| | 1 | Cache write policy enforced (PR/fork read-only) | DONE | | 2 | Yarn + `.metamask` converted | DONE | | 3 | Gradle local + remote build cache | DONE | | 4 | Gradle remote cache hits verified (2+ builds) | DONE | | 5 | APK fingerprint cache | DONE | | 6 | CocoaPods/Bundler cache | DONE | | 7 | DerivedData/Xcode cache | DONE | | 8 | Detox framework cache | DONE | | 9 | `node_modules` tarball preserved | DONE | | 10 | `fail-on-cache-miss` not removed | DONE | | 11 | `nscloud-checkout-action` not adopted (INFRA-3628) | CORRECT | | 12 | Dashboard metrics after 2-day warm-up | Follow-up ticket (reviewed after warm-up) | ## **Validation Runs** | Run | Provider | Result | |-----|----------|--------| | [25792720168](https://github.com/MetaMask/metamask-mobile/actions/runs/25792720168) | namespace | Android 27/27 E2E pass, iOS 23/27 (3 confirmations flakes), builds pass | | [25795480025](https://github.com/MetaMask/metamask-mobile/actions/runs/25795480025) | current | Rollback validation (in progress) | ## **Changelog** CHANGELOG entry: null ## **Related issues** Fixes: INFRA-3597 (parent epic INFRA-3511) ## **Manual testing steps** 1. Dispatch `ci.yml` with `runner_provider=namespace` — all builds and E2E tests should pass (except known flakes) 2. Dispatch `ci.yml` with `runner_provider=current` — confirms existing Cirrus/GitHub runner path is unaffected 3. Check Namespace cache dashboard after 2-day warm-up for steady-state hit rates ## **Screenshots/Recordings** N/A — CI infrastructure PR. ## **Pre-merge author checklist** - [x] I've followed MetaMask Contributor Docs and Coding Standards. - [x] I've completed the PR template to the best of my ability - [x] I've included tests if applicable - [x] I've documented my code using JSDoc format if applicable - [x] I've applied the right labels on the PR ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR - [ ] I confirm that this PR addresses all acceptance criteria  --- > [!NOTE] > **Medium Risk** > Touches CI build/test gating and caching behavior across Android/iOS and E2E workflows; misconfiguration could cause cache poisoning/misses or skipped builds that break downstream tests. > > **Overview** > Introduces Namespace-runner cache configuration via `namespacelabs/nscloud-cache-action` for Android (Gradle/Maven + `apk-cache`) and iOS (CocoaPods/Xcode + Detox cache in E2E runner), and skips redundant `actions/cache` restores/saves in `setup-e2e-env` when `runner_provider == 'namespace'`. > > Adds a **Namespace-only Android APK fingerprint cache** (marker + stored APKs under `${GRADLE_USER_HOME}/apk-cache`) that can short-circuit the native build path, plus Namespace Gradle remote build cache setup with branch-based push policy. > > Adjusts CI stability on Namespace Linux by appending `--maxWorkers=50%` to sharded Jest unit runs to reduce OOM kills. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 9fc9d14. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup>  --------- Co-authored-by: Alejandro Som <560018+alucardzom@users.noreply.github.com> Co-authored-by: Cursor <cursoragent@cursor.com>
diff --git a/.github/actions/setup-e2e-env/action.yml b/.github/actions/setup-e2e-env/action.yml
@@ -161,9 +161,9 @@ runs:
         sudo chown -R "$(id -u):$(id -g)" "$CACHE_PATH" /opt/android-sdk/.temp
       shell: bash
 
-    # Restore exact system image from cache
+    # Restore exact system image from cache (GitHub only — Namespace uses nscloud-cache-action in callers)
     - name: Restore Android system image from cache
-      if: ${{ inputs.platform == 'android' && inputs.setup-simulator == 'true' }}
+      if: ${{ inputs.platform == 'android' && inputs.setup-simulator == 'true' && inputs.runner_provider != 'namespace' }}
       id: android-system-image-cache
       uses: actions/cache/restore@v4
       with:
@@ -215,6 +215,7 @@ runs:
         ${{
           inputs.platform == 'android' &&
           inputs.setup-simulator == 'true' &&
+          inputs.runner_provider != 'namespace' &&
           steps.android-system-image-cache.outputs.cache-hit != 'true' &&
           github.event_name != 'pull_request' &&
           github.event_name != 'pull_request_target' &&
@@ -295,6 +296,7 @@ runs:
         command: ${{ steps.get-corepack-command.outputs.COREPACK_COMMAND }}
 
     - name: Restore Yarn cache
+      if: ${{ inputs.runner_provider != 'namespace' }}
       uses: actions/cache@v4
       with:
         path: |
@@ -342,7 +344,7 @@ runs:
       shell: bash
 
     - name: Restore Bundler cache
-      if: ${{ inputs.platform == 'ios' }}
+      if: ${{ inputs.platform == 'ios' && inputs.runner_provider != 'namespace' }}
       uses: actions/cache@v4
       with:
         path: ios/vendor/bundle
@@ -399,7 +401,7 @@ runs:
       shell: bash
 
     - name: Restore CocoaPods specs cache
-      if: ${{ inputs.platform == 'ios' }}
+      if: ${{ inputs.platform == 'ios' && inputs.runner_provider != 'namespace' }}
       id: cocoapods-specs-cache
       uses: actions/cache@v4
       with:
diff --git a/.github/workflows/build-android-e2e.yml b/.github/workflows/build-android-e2e.yml
@@ -64,13 +64,29 @@ jobs:
         if: ${{ inputs.runner_provider == 'namespace' }}
         uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1
         with:
+          cache: |
+            gradle
+            maven
           path: |
             ~/.cache/yarn
             .metamask
             node_modules
             .yarn/cache
             ${{ env.GRADLE_USER_HOME }}/caches
             ${{ env.GRADLE_USER_HOME }}/wrapper
+            ${{ env.GRADLE_USER_HOME }}/apk-cache
+
+      - name: Configure Gradle remote build cache
+        if: ${{ inputs.runner_provider == 'namespace' }}
+        run: |
+          mkdir -p "$GRADLE_USER_HOME/init.d"
+          REF="${GITHUB_REF_NAME}"
+          PUSH=true
+          if [[ "$REF" != "main" && "$REF" != release/* && "$REF" != stable/* ]]; then
+            PUSH=false
+          fi
+          nsc cache gradle setup --push="$PUSH" --init-gradle "$GRADLE_USER_HOME/init.d/namespace-cache.init.gradle"
+          echo "Gradle remote build cache configured (push=$PUSH) at $GRADLE_USER_HOME/init.d/namespace-cache.init.gradle"
 
       - name: Report source fingerprint
         run: |
@@ -102,6 +118,50 @@ jobs:
             exit 1
           fi
 
+      - name: Check Namespace E2E APK cache
+        id: namespace-apk-cache
+        if: ${{ inputs.runner_provider == 'namespace' && steps.force-builds.outputs.force != 'true' && inputs.source-fingerprint != '' }}
+        shell: bash
+        env:
+          APK_TARGET: ${{ steps.determine-target-paths.outputs.apk-target-path }}
+          TEST_APK_TARGET: ${{ steps.determine-target-paths.outputs.test-apk-target-path }}
+          ARTIFACT_NAME: ${{ steps.determine-target-paths.outputs.artifact_name }}
+          FINGERPRINT: ${{ inputs.source-fingerprint }}
+          CACHE_GENERATION: ${{ env.CACHE_GENERATION }}
+          GRADLE_FILES_HASH: ${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
+          REF_NAME: ${{ github.ref_name }}
+          BUILD_TYPE: ${{ inputs.build_type }}
+        run: |
+          MARKER="${GRADLE_USER_HOME}/apk-cache/.e2e-apk-cache-marker"
+          APK_CACHED="${GRADLE_USER_HOME}/apk-cache/${ARTIFACT_NAME}.apk"
+          TEST_APK_CACHED="${GRADLE_USER_HOME}/apk-cache/${ARTIFACT_NAME}-androidTest.apk"
+          EXPECTED="${REF_NAME}"$'\n'"${BUILD_TYPE}"$'\n'"${CACHE_GENERATION}"$'\n'"${FINGERPRINT}"$'\n'"${GRADLE_FILES_HASH}"
+          echo "--- Debug: APK cache marker diagnostics ---"
+          echo "MARKER=$MARKER"
+          echo "APK_CACHED=$APK_CACHED"
+          echo "TEST_APK_CACHED=$TEST_APK_CACHED"
+          echo "marker exists: $([[ -f "${MARKER}" ]] && echo yes || echo NO)"
+          echo "apk exists: $([[ -f "${APK_CACHED}" ]] && echo yes || echo NO)"
+          echo "test-apk exists: $([[ -f "${TEST_APK_CACHED}" ]] && echo yes || echo NO)"
+          ls -la "${GRADLE_USER_HOME}/apk-cache/" 2>&1 || echo "apk-cache dir not found"
+          if [[ -f "${MARKER}" ]]; then
+            echo "--- marker contents ---"
+            cat "${MARKER}"
+            echo "--- expected ---"
+            echo "${EXPECTED}"
+            echo "--- match: $([[ "$(<"${MARKER}")" == "${EXPECTED}" ]] && echo YES || echo NO) ---"
+          fi
+          if [[ -f "${MARKER}" ]] && [[ -f "${APK_CACHED}" ]] && [[ -f "${TEST_APK_CACHED}" ]] && [[ "$(<"${MARKER}")" == "${EXPECTED}" ]]; then
+            echo "cache-hit=true" >> "${GITHUB_OUTPUT}"
+            echo "Namespace APK cache hit — restoring APKs to build output dirs."
+            mkdir -p "${APK_TARGET}" "${TEST_APK_TARGET}"
+            cp "${APK_CACHED}" "${APK_TARGET}/"
+            cp "${TEST_APK_CACHED}" "${TEST_APK_TARGET}/"
+          else
+            echo "cache-hit=false" >> "${GITHUB_OUTPUT}"
+            echo "Namespace APK cache miss — full build required."
+          fi
+
       - name: Find reusable build from prior run
         id: find-reusable-build
         if: ${{ inputs.runner_provider != 'namespace' && steps.force-builds.outputs.force != 'true' && inputs.source-fingerprint != '' }}
@@ -167,7 +227,10 @@ jobs:
       - name: Compute native-build gate
         id: gate
         run: |
-          if [[ "${{ steps.find-reusable-build.outputs.found }}" == "true" \
+          if [[ "${{ steps.namespace-apk-cache.outputs.cache-hit }}" == "true" ]]; then
+            echo "needs-native-build=false" >> "$GITHUB_OUTPUT"
+            echo "Namespace APK cache hit; heavy Android setup + Gradle restore will be skipped."
+          elif [[ "${{ steps.find-reusable-build.outputs.found }}" == "true" \
              && "${{ steps.download-reusable-apk.outcome }}" == "success" \
              && "${{ steps.download-reusable-test-apk.outcome }}" == "success" ]]; then
             echo "needs-native-build=false" >> "$GITHUB_OUTPUT"
@@ -315,6 +378,27 @@ jobs:
           MM_INFURA_PROJECT_ID: ${{ secrets.MM_INFURA_PROJECT_ID }}
           MM_PREDICT_GTM_MODAL_ENABLED: 'false'
 
+      - name: Record Namespace E2E APK cache marker
+        if: ${{ inputs.runner_provider == 'namespace' && steps.gate.outputs.needs-native-build == 'true' && inputs.source-fingerprint != '' }}
+        shell: bash
+        env:
+          APK_SOURCE: ${{ steps.determine-target-paths.outputs.apk-target-path }}/${{ steps.determine-target-paths.outputs.artifact_name }}.apk
+          TEST_APK_SOURCE: ${{ steps.determine-target-paths.outputs.test-apk-target-path }}/${{ steps.determine-target-paths.outputs.artifact_name }}-androidTest.apk
+          ARTIFACT_NAME: ${{ steps.determine-target-paths.outputs.artifact_name }}
+          FINGERPRINT: ${{ inputs.source-fingerprint }}
+          CACHE_GENERATION: ${{ env.CACHE_GENERATION }}
+          GRADLE_FILES_HASH: ${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
+          REF_NAME: ${{ github.ref_name }}
+          BUILD_TYPE: ${{ inputs.build_type }}
+        run: |
+          CACHE_DIR="${GRADLE_USER_HOME}/apk-cache"
+          mkdir -p "${CACHE_DIR}"
+          cp "${APK_SOURCE}" "${CACHE_DIR}/${ARTIFACT_NAME}.apk"
+          cp "${TEST_APK_SOURCE}" "${CACHE_DIR}/${ARTIFACT_NAME}-androidTest.apk"
+          EXPECTED="${REF_NAME}"$'\n'"${BUILD_TYPE}"$'\n'"${CACHE_GENERATION}"$'\n'"${FINGERPRINT}"$'\n'"${GRADLE_FILES_HASH}"
+          printf '%s\n' "${EXPECTED}" > "${CACHE_DIR}/.e2e-apk-cache-marker"
+          echo "Namespace APK cache marker + APKs written to ${CACHE_DIR}."
+
       - name: Repack APK with JS updates using @expo/repack-app
         if: ${{ steps.gate.outputs.needs-native-build != 'true' }}
         run: |
diff --git a/.github/workflows/build-ios-e2e.yml b/.github/workflows/build-ios-e2e.yml
@@ -78,6 +78,18 @@ jobs:
       - name: Checkout repo
         uses: actions/checkout@v6
 
+      - name: Configure Namespace cache
+        if: ${{ inputs.runner_provider == 'namespace' }}
+        uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1
+        with:
+          cache: |
+            cocoapods
+            xcode
+          path: |
+            ~/.cache/yarn
+            .metamask
+            .yarn/cache
+
       - name: Check force-builds override
         id: force-builds
         uses: ./.github/actions/check-force-builds
@@ -145,7 +157,7 @@ jobs:
 
       - name: Restore Xcode derived data from branch cache
         id: xcode-restore-cache
-        if: ${{ steps.gate.outputs.needs-native-build == 'true' && inputs.runner_provider != 'namespace' }}
+        if: ${{ inputs.runner_provider != 'namespace' && steps.gate.outputs.needs-native-build == 'true' }}
         # This action automatically updates the cache at the end of the workflow
         uses: cirruslabs/cache@bba69c6578b863ad0398ad40567bd2ef70290fe0 # v4
         with:
@@ -155,9 +167,8 @@ jobs:
           key: ${{ runner.os }}-xcode-${{ github.ref_name }}-${{ env.XCODE_CACHE_VERSION }}-${{ hashFiles('ios/**/*.{h,m,mm,swift}', 'ios/**/Podfile.lock', 'yarn.lock') }}
 
       - name: Restore Xcode derived data from main cache
-        if: ${{ steps.gate.outputs.needs-native-build == 'true' && steps.xcode-restore-cache.outputs.cache-hit != 'true' && github.ref_name != 'main' && inputs.runner_provider != 'namespace' }}
+        if: ${{ inputs.runner_provider != 'namespace' && steps.gate.outputs.needs-native-build == 'true' && steps.xcode-restore-cache.outputs.cache-hit != 'true' && github.ref_name != 'main' }}
         id: xcode-restore-cache-main
-        # This will only restore the cache, not update it
         uses: cirruslabs/cache/restore@bba69c6578b863ad0398ad40567bd2ef70290fe0 # v4
         with:
           path: |
@@ -205,7 +216,7 @@ jobs:
         run: find ios -name "*.plist" -exec xattr -c {} \;
 
       - name: Restore .metamask folder
-        if: ${{ steps.gate.outputs.needs-native-build == 'true' }}
+        if: ${{ inputs.runner_provider != 'namespace' && steps.gate.outputs.needs-native-build == 'true' }}
         id: restore-metamask
         uses: actions/cache@v4
         with:
@@ -258,7 +269,7 @@ jobs:
           YARN_ENABLE_GLOBAL_CACHE: 'true'
 
       - name: Restore .metamask folder (reuse-hit path)
-        if: ${{ steps.gate.outputs.needs-native-build != 'true' }}
+        if: ${{ inputs.runner_provider != 'namespace' && steps.gate.outputs.needs-native-build != 'true' }}
         id: restore-metamask-lean
         uses: actions/cache@v4
         with:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -571,7 +571,8 @@ jobs:
         run: mkdir -p tests/results
       # The "10" in this command is the total number of shards. It must be kept
       # in sync with the length of matrix.shard
-      - run: yarn test:unit --shard=${{ matrix.shard }}/10 --forceExit --silent --coverageReporters=json --json --outputFile=tests/results/unit-test-results-${{ matrix.shard }}.json
+      # Namespace Linux: cap Jest workers to reduce cgroup OOM SIGKILL without tuning heap.
+      - run: yarn test:unit --shard=${{ matrix.shard }}/10${{ inputs.runner_provider == 'namespace' && ' --maxWorkers=50%' || '' }} --forceExit --silent --coverageReporters=json --json --outputFile=tests/results/unit-test-results-${{ matrix.shard }}.json
         env:
           NODE_OPTIONS: ${{ inputs.runner_provider == 'namespace' && '--max_old_space_size=12288' || '--max_old_space_size=20480' }}
       - name: Rename coverage report and extract test count for this shard
diff --git a/.github/workflows/run-e2e-workflow.yml b/.github/workflows/run-e2e-workflow.yml
@@ -103,7 +103,36 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
 
+      - name: Configure Namespace cache (Android)
+        if: ${{ inputs.runner_provider == 'namespace' && inputs.platform == 'android' }}
+        uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1
+        with:
+          cache: |
+            gradle
+            maven
+          path: |
+            ~/.cache/yarn
+            .metamask
+            node_modules
+            .yarn/cache
+            /home/runner/_work/.gradle/caches
+            /home/runner/_work/.gradle/wrapper
+            /home/runner/_work/.gradle/apk-cache
+
+      - name: Configure Namespace cache (iOS)
+        if: ${{ inputs.runner_provider == 'namespace' && inputs.platform == 'ios' }}
+        uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1
+        with:
+          cache: |
+            cocoapods
+          path: |
+            ~/.cache/yarn
+            .metamask
+            .yarn/cache
+            ~/Library/Detox
+
       - name: Restore .metamask folder
+        if: ${{ inputs.runner_provider != 'namespace' }}
         uses: actions/cache@v4
         with:
           path: .metamask
