ci: cache tool binaries to improve CI speed and reliability (#186)

* ci: cache tool binaries to improve CI speed and reliability

Add two reusable composite actions for tool caching:
- install-go-tool: caches Go tool binaries compiled via go install
- install-binary-tool: caches pre-built binaries downloaded via curl

Apply caching to all CI tool installations across workflows:
- Go tools: golangci-lint, gotestsum, govulncheck, benchstat, controller-gen,
  helm-docs, setup-envtest, ko (previously recompiled from source every run)
- Binary tools: gitleaks, k3d, helm-unittest (previously re-downloaded every run)
- FOSSA CLI: replaced fossas/fossa-action with cached direct download, pinned
  to v3.17.10 (fixes transient CDN failures like the one in PR #184)
- pip packages: use actions/setup-python for yamllint and mkdocs-material

Each tool gets its own cache entry keyed by name, OS, arch, and version.
Version bumps automatically invalidate only the affected tool's cache.

Closes #185

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>

* fix: create helm plugins directory before symlinking helm-unittest

The Link helm-unittest plugin step failed because the parent directory
$(helm env HELM_PLUGINS) did not exist on a fresh runner. Add mkdir -p
to ensure the directory tree exists before ln -s.

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>

---------

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>

Author: SebTardif

.github/actions/install-binary-tool/action.yaml

@@ -0,0 +1,39 @@
+name: Install Binary Tool (cached)
+description: |
+  Download a pre-built binary and cache it across runs.
+  On cache hit the binary is restored without re-downloading.
+  On cache miss the install-command runs and the result is saved.
+
+inputs:
+  name:
+    description: Tool name used as cache key prefix (e.g. gitleaks, k3d)
+    required: true
+  version:
+    description: Version string for the cache key (e.g. 8.30.1)
+    required: true
+  install-command:
+    description: Shell command that installs the binary into $TOOL_DIR
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Restore ${{ inputs.name }} from cache
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+      id: tool-cache
+      with:
+        path: ${{ runner.temp }}/bin-tool-cache/${{ inputs.name }}
+        key: bin-tool-${{ inputs.name }}-${{ runner.os }}-${{ runner.arch }}-${{ inputs.version }}
+
+    - name: Install ${{ inputs.name }}
+      if: steps.tool-cache.outputs.cache-hit != 'true'
+      shell: bash -Eeuo pipefail {0}
+      env:
+        TOOL_DIR: ${{ runner.temp }}/bin-tool-cache/${{ inputs.name }}
+      run: |
+        mkdir -p "$TOOL_DIR"
+        ${{ inputs.install-command }}
+
+    - name: Add ${{ inputs.name }} to PATH
+      shell: bash -Eeuo pipefail {0}
+      run: echo "${RUNNER_TEMP}/bin-tool-cache/${{ inputs.name }}" >> "$GITHUB_PATH"

.github/actions/install-go-tool/action.yaml

@@ -0,0 +1,38 @@
+name: Install Go Tool (cached)
+description: |
+  Install a Go tool binary and cache it across runs.
+  On cache hit the binary is restored from cache without recompilation.
+  On cache miss the tool is compiled via 'go install' and saved for future runs.
+
+inputs:
+  name:
+    description: Binary name produced by go install (e.g. gotestsum, govulncheck)
+    required: true
+  version:
+    description: Version tag (e.g. v1.13.0)
+    required: true
+  package:
+    description: Go module path (e.g. gotest.tools/gotestsum)
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Restore ${{ inputs.name }} from cache
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+      id: tool-cache
+      with:
+        path: ${{ runner.temp }}/go-tool-cache/${{ inputs.name }}
+        key: go-tool-${{ inputs.name }}-${{ runner.os }}-${{ runner.arch }}-${{ inputs.version }}
+
+    - name: Install ${{ inputs.name }}
+      if: steps.tool-cache.outputs.cache-hit != 'true'
+      shell: bash -Eeuo pipefail {0}
+      run: |
+        tool_dir="${RUNNER_TEMP}/go-tool-cache/${{ inputs.name }}"
+        mkdir -p "$tool_dir"
+        GOBIN="$tool_dir" go install "${{ inputs.package }}@${{ inputs.version }}"
+
+    - name: Add ${{ inputs.name }} to PATH
+      shell: bash -Eeuo pipefail {0}
+      run: echo "${RUNNER_TEMP}/go-tool-cache/${{ inputs.name }}" >> "$GITHUB_PATH"

.github/actions/setup-e2e-cluster/action.yaml

@@ -61,15 +61,12 @@ runs:
           /tmp/stress-ng.tar
         key: e2e-images-${{ runner.os }}-cm${{ inputs.cert-manager-version }}-prom${{ inputs.prometheus-chart-version }}-stress0.20.01
 
-    - name: Install k3d
-      shell: bash -Eeuo pipefail -x {0}
-      run: |
-        mkdir -p "$HOME/.local/bin"
-        if command -v k3d &>/dev/null; then
-          echo "k3d already installed: $(k3d version)"
-        else
-          curl -s https://raw.githubusercontent.com/k3d-io/k3d/${{ inputs.k3d-version }}/install.sh | K3D_INSTALL_DIR="$HOME/.local/bin" USE_SUDO=false bash
-        fi
+    - uses: ./.github/actions/install-binary-tool
+      with:
+        name: k3d
+        version: ${{ inputs.k3d-version }}
+        install-command: |
+          curl -s https://raw.githubusercontent.com/k3d-io/k3d/${{ inputs.k3d-version }}/install.sh | K3D_INSTALL_DIR="$TOOL_DIR" USE_SUDO=false bash
 
     - name: Prepare isolated kubeconfig
       shell: bash -Eeuo pipefail -x {0}
@@ -78,7 +75,6 @@ runs:
     - name: Cleanup stale k3d clusters and Docker resources
       shell: bash -Eeuo pipefail -x {0}
       run: |
-        export PATH="$HOME/.local/bin:$PATH"
         for cluster in $(k3d cluster list -o json 2>/dev/null | jq -r '.[].name // empty'); do
           started=$(docker inspect --format '{{.State.StartedAt}}' "k3d-${cluster}-server-0" 2>/dev/null) || continue
           started_epoch=$(date -d "$started" +%s 2>/dev/null) || continue
@@ -109,7 +105,6 @@ runs:
     - name: Create k3d cluster
       shell: bash -Eeuo pipefail -x {0}
       run: |
-        export PATH="$HOME/.local/bin:$PATH"
         for attempt in 1 2 3; do
           if k3d cluster create "${{ inputs.cluster-name }}" \
             --image ${{ inputs.k3s-image }} \
@@ -137,7 +132,6 @@ runs:
     - name: Load cert-manager images into cluster
       shell: bash -Eeuo pipefail -x {0}
       run: |
-        export PATH="$HOME/.local/bin:$PATH"
         k3d image import \
           /tmp/cert-manager-controller.tar \
           /tmp/cert-manager-webhook.tar \
@@ -155,7 +149,6 @@ runs:
     - name: Load Prometheus and test images into cluster
       shell: bash -Eeuo pipefail -x {0}
       run: |
-        export PATH="$HOME/.local/bin:$PATH"
         k3d image import /tmp/prometheus.tar /tmp/stress-ng.tar -c "${{ inputs.cluster-name }}"
 
     - name: Install Prometheus
@@ -192,11 +185,15 @@ runs:
           sleep 5
         done
 
+    - uses: ./.github/actions/install-go-tool
+      with:
+        name: ko
+        version: v0.18.0
+        package: github.com/google/ko
+
     - name: Build and load operator image
       shell: bash -Eeuo pipefail -x {0}
       run: |
-        export PATH="$HOME/.local/bin:$PATH"
-        go install github.com/google/ko@v0.18.0
         VERSION=e2e COMMIT=$(git rev-parse --short HEAD) DATE=$(date -u +%Y-%m-%dT%H:%M:%SZ) \
           KO_DOCKER_REPO=attune ko build ./cmd/manager/ \
           --bare --tags=e2e --platform=linux/$(go env GOARCH) \

.github/workflows/ci.yaml

@@ -25,6 +25,7 @@ env:
   K3S_IMAGE: "rancher/k3s:v1.35.4-k3s1"
   ENVTEST_K8S_VERSION: "1.35.0"
   HELM_UNITTEST_VERSION: "v0.7.2"
+  BENCHSTAT_VERSION: "v0.0.0-20260512194132-3cf34090a3db"
   CERT_MANAGER_VERSION: "v1.17.2"
   PROMETHEUS_IMAGE: "quay.io/prometheus/prometheus:v3.4.1"
   PROMETHEUS_CHART_VERSION: "27.22.0"
@@ -104,17 +105,15 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
           cache: true
 
+      - uses: ./.github/actions/install-go-tool
+        with:
+          name: golangci-lint
+          version: ${{ env.GOLANGCI_LINT_VERSION }}
+          package: github.com/golangci/golangci-lint/v2/cmd/golangci-lint
+
       - name: golangci-lint
         shell: bash -Eeuo pipefail {0}
-        run: |
-          lint_root=$(mktemp -d "${RUNNER_TEMP:-/tmp}/golangci-lint-${GITHUB_RUN_ID:-local}-${GITHUB_JOB:-lint}-XXXXXX")
-          trap 'rm -rf "$lint_root"' EXIT
-          lint_bindir="$lint_root/bin"
-          lint_cachedir="$lint_root/cache"
-          mkdir -p "$lint_bindir" "$lint_cachedir"
-          GOBIN="$lint_bindir" make golangci-lint LOCALBIN="$lint_bindir"
-          GOLANGCI_LINT_CACHE="$lint_cachedir" \
-            "$lint_bindir/golangci-lint-${{ env.GOLANGCI_LINT_VERSION }}" run --timeout 5m --allow-serial-runners
+        run: golangci-lint run --timeout 5m --allow-serial-runners
 
       - name: Check go mod tidy
         shell: bash -Eeuo pipefail {0}
@@ -165,11 +164,14 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
           cache: true
 
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        with:
+          python-version: "3.x"
+          cache: pip
+
       - name: Install MkDocs
         shell: bash -Eeuo pipefail {0}
-        run: |
-          python3 -m pip install --user --break-system-packages mkdocs-material==9.7.6
-          echo "$(python3 -m site --user-base)/bin" >> "$GITHUB_PATH"
+        run: pip install mkdocs-material==9.7.6
 
       - name: Build docs site
         shell: bash -Eeuo pipefail {0}
@@ -219,13 +221,17 @@ jobs:
           egress-policy: audit
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        with:
+          python-version: "3.x"
+
+      - name: Install yamllint
+        shell: bash -Eeuo pipefail {0}
+        run: pip install yamllint
+
       - name: YAML lint
         shell: bash -Eeuo pipefail {0}
         run: |
-          if ! command -v yamllint &>/dev/null; then
-            python3 -m pip install --user --break-system-packages yamllint 2>/dev/null
-            export PATH="$(python3 -m site --user-base)/bin:$PATH"
-          fi
           yamllint_config="${RUNNER_TEMP:-/tmp}/yamllint-${GITHUB_RUN_ID}-${GITHUB_JOB}.yaml"
           cat > "$yamllint_config" <<'EOF'
           extends: default
@@ -277,13 +283,11 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
           cache: true
 
-      - name: Install gotestsum
-        shell: bash -Eeuo pipefail {0}
-        run: |
-          export GOBIN="${RUNNER_TEMP}/gobin-${GITHUB_RUN_ID}-${GITHUB_JOB}"
-          mkdir -p "$GOBIN"
-          go install gotest.tools/gotestsum@${{ env.GOTESTSUM_VERSION }}
-          echo "${GOBIN}" >> "$GITHUB_PATH"
+      - uses: ./.github/actions/install-go-tool
+        with:
+          name: gotestsum
+          version: ${{ env.GOTESTSUM_VERSION }}
+          package: gotest.tools/gotestsum
 
       - name: Run unit tests
         shell: bash -Eeuo pipefail -x {0}
@@ -365,9 +369,11 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
           cache: true
 
-      - name: Install benchstat
-        shell: bash -Eeuo pipefail {0}
-        run: go install golang.org/x/perf/cmd/benchstat@latest
+      - uses: ./.github/actions/install-go-tool
+        with:
+          name: benchstat
+          version: v0.0.0-20260512194132-3cf34090a3db
+          package: golang.org/x/perf/cmd/benchstat
 
       - name: Restore baseline benchmarks
         uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
@@ -428,22 +434,21 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
           cache: true
 
-      - name: Install gotestsum
-        shell: bash -Eeuo pipefail {0}
-        run: |
-          export GOBIN="${RUNNER_TEMP}/gobin-${GITHUB_RUN_ID}-${GITHUB_JOB}"
-          mkdir -p "$GOBIN"
-          go install gotest.tools/gotestsum@${{ env.GOTESTSUM_VERSION }}
-          echo "${GOBIN}" >> "$GITHUB_PATH"
+      - uses: ./.github/actions/install-go-tool
+        with:
+          name: gotestsum
+          version: ${{ env.GOTESTSUM_VERSION }}
+          package: gotest.tools/gotestsum
+
+      - uses: ./.github/actions/install-go-tool
+        with:
+          name: setup-envtest
+          version: v0.24.1
+          package: sigs.k8s.io/controller-runtime/tools/setup-envtest
 
-      - name: Setup envtest
+      - name: Setup envtest assets
         shell: bash -Eeuo pipefail -x {0}
-        run: |
-          export GOBIN="${RUNNER_TEMP}/gobin-${GITHUB_RUN_ID}-${GITHUB_JOB}"
-          mkdir -p "$GOBIN"
-          go install sigs.k8s.io/controller-runtime/tools/setup-envtest@release-0.24
-          echo "${GOBIN}" >> "$GITHUB_PATH"
-          echo "KUBEBUILDER_ASSETS=$(setup-envtest use ${{ env.ENVTEST_K8S_VERSION }} -p path)" >> "$GITHUB_ENV"
+        run: echo "KUBEBUILDER_ASSETS=$(setup-envtest use ${{ env.ENVTEST_K8S_VERSION }} -p path)" >> "$GITHUB_ENV"
 
       - name: Run integration tests
         shell: bash -Eeuo pipefail -x {0}
@@ -543,7 +548,6 @@ jobs:
         if: always()
         shell: bash -Eeuo pipefail {0}
         run: |
-          export PATH="$HOME/.local/bin:$PATH"
           k3d cluster delete "$K3D_CLUSTER_NAME" 2>/dev/null || true
           rm -f "$KUBECONFIG"
 
@@ -564,11 +568,15 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
           cache: true
 
+      - uses: ./.github/actions/install-go-tool
+        with:
+          name: govulncheck
+          version: v1.3.0
+          package: golang.org/x/vuln/cmd/govulncheck
+
       - name: Run govulncheck
         shell: bash -Eeuo pipefail -x {0}
-        run: |
-          go install golang.org/x/vuln/cmd/govulncheck@v1.3.0
-          govulncheck ./...
+        run: govulncheck ./...
 
   crd-freshness:
     name: CRD Freshness Check
@@ -629,40 +637,54 @@ jobs:
               --api-versions cert-manager.io/v1 > /dev/null
           done
 
-      - name: Run chart unit tests
-        shell: bash -Eeuo pipefail -x {0}
+      - uses: ./.github/actions/install-binary-tool
+        with:
+          name: helm-unittest
+          version: ${{ env.HELM_UNITTEST_VERSION }}
+          install-command: |
+            # Remove stale helm-unittest plugins that conflict on self-hosted runners
+            rm -rf "$(helm env HELM_PLUGINS)/helm-unittest.git" 2>/dev/null || true
+            ASSET_VERSION="${{ env.HELM_UNITTEST_VERSION }}"
+            ASSET_VERSION="${ASSET_VERSION#v}"
+            case "$(uname -s)" in
+              Linux)  HU_OS=linux  ;;
+              Darwin) HU_OS=macos  ;;
+              *)      echo "unsupported OS: $(uname -s)" >&2; exit 1 ;;
+            esac
+            case "$(uname -m)" in
+              x86_64)       HU_ARCH=amd64 ;;
+              aarch64|arm64) HU_ARCH=arm64 ;;
+              *)            echo "unsupported arch: $(uname -m)" >&2; exit 1 ;;
+            esac
+            curl -fsSL "https://github.com/helm-unittest/helm-unittest/releases/download/${{ env.HELM_UNITTEST_VERSION }}/helm-unittest-${HU_OS}-${HU_ARCH}-${ASSET_VERSION}.tgz" \
+              | tar xz -C "$TOOL_DIR"
+
+      - name: Link helm-unittest plugin
+        shell: bash -Eeuo pipefail {0}
         run: |
-          # Remove stale helm-unittest plugins that conflict on self-hosted runners
-          rm -rf "$(helm env HELM_PLUGINS)/helm-unittest.git" 2>/dev/null || true
           PLUGINS_DIR="$(helm env HELM_PLUGINS)/unittest"
-          mkdir -p "$PLUGINS_DIR"
-          HELM_UNITTEST_ASSET_VERSION="${HELM_UNITTEST_VERSION#v}"
-          case "$(uname -s)" in
-            Linux)  HU_OS=linux  ;;
-            Darwin) HU_OS=macos  ;;
-            *)      echo "unsupported OS: $(uname -s)" >&2; exit 1 ;;
-          esac
-          case "$(uname -m)" in
-            x86_64)       HU_ARCH=amd64 ;;
-            aarch64|arm64) HU_ARCH=arm64 ;;
-            *)            echo "unsupported arch: $(uname -m)" >&2; exit 1 ;;
-          esac
-          curl -fsSL "https://github.com/helm-unittest/helm-unittest/releases/download/${HELM_UNITTEST_VERSION}/helm-unittest-${HU_OS}-${HU_ARCH}-${HELM_UNITTEST_ASSET_VERSION}.tgz" \
-            | tar xz -C "$PLUGINS_DIR"
-          helm unittest charts/attune
+          mkdir -p "$(dirname "$PLUGINS_DIR")"
+          rm -rf "$PLUGINS_DIR"
+          ln -s "${RUNNER_TEMP}/bin-tool-cache/helm-unittest" "$PLUGINS_DIR"
+
+      - name: Run chart unit tests
+        shell: bash -Eeuo pipefail -x {0}
+        run: helm unittest charts/attune
 
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version: ${{ env.GO_VERSION }}
           cache: true
 
+      - uses: ./.github/actions/install-go-tool
+        with:
+          name: helm-docs
+          version: v1.14.2
+          package: github.com/norwoodj/helm-docs/cmd/helm-docs
+
       - name: Helm docs freshness
         shell: bash -Eeuo pipefail {0}
         run: |
-          export GOBIN="${RUNNER_TEMP}/gobin-${GITHUB_RUN_ID}-${GITHUB_JOB}"
-          mkdir -p "$GOBIN"
-          go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.14.2
-          export PATH="${GOBIN}:${PATH}"
           helm-docs --chart-search-root charts/
           if ! git diff --quiet --exit-code charts/attune/README.md; then
             echo "::error::Helm README is stale. Run 'make helm-docs-gen' and commit."