chore: add binary caching (#408)

agarvin-nr · web-flow · commit 892bc8a088c0 · 2025-10-09T09:56:25.000-07:00
diff --git a/.github/workflows/ci-base.yaml b/.github/workflows/ci-base.yaml
@@ -96,38 +96,8 @@ jobs:
         run: echo "✅ Source generation skipped - no source changes detected"
 
       - name: Verify source files exist
-        run: |
-          SOURCE_PATH="distributions/${{inputs.distribution}}/_build"
-          if [ ${{ inputs.fips }} = "true" ]; then
-            SOURCE_PATH="${SOURCE_PATH}-fips"
-          fi
-          if [ ! -d "$SOURCE_PATH" ]; then
-            echo "❌ $SOURCE_PATH not found!"
-            exit 1
-          fi
-          files=(
-            "build.log" "components.go" "go.mod" "go.sum"
-            "main_others.go" "main_windows.go" "main.go"
-          )
-          if [ ${{ inputs.fips }} = "true" ]; then
-            files+=("fips.go")
-          fi  
-          cd "$SOURCE_PATH"
-          missing_files=()
-          for file in "${files[@]}"; do
-            if [ ! -f "$file" ]; then
-              missing_files+=("$file")
-            else
-              echo "Found: $file"
-            fi
-          done
-          if [ ${#missing_files[@]} -eq 0 ]; then
-            echo "✅ All source files found!"
-          else
-            echo "❌ files not found: ${missing_files[*]}"
-            exit 1
-          fi
-
+        run: ./scripts/validate-source-files.sh -d ${{ inputs.distribution }} -f ${{ inputs.fips }}
+          
       - name: Login to Docker
         uses: docker/login-action@v3
         if: ${{ env.ACT }}
@@ -174,17 +144,42 @@ jobs:
         run: |
           if [ ${{ inputs.nightly }} = "true" ] && [ ${{ inputs.fips }} = "true" ]; then
             echo "goreleaser_args=--snapshot --clean --skip=publish,validate --timeout 2h --config .goreleaser-nightly-fips.yaml" >> $GITHUB_ENV
+            echo "goreleaser_file=.goreleaser-nightly-fips.yaml" >> $GITHUB_ENV
           elif [ ${{ inputs.nightly }} = "true" ]; then
             echo "goreleaser_args=--snapshot --clean --skip=publish,validate --timeout 2h --config .goreleaser-nightly.yaml" >> $GITHUB_ENV
+            echo "goreleaser_file=.goreleaser-nightly.yaml" >> $GITHUB_ENV
           elif [ ${{ inputs.fips }} = "true" ]; then
             echo "goreleaser_args=--snapshot --clean --skip=publish,validate --timeout 2h --config .goreleaser-fips.yaml" >> $GITHUB_ENV
+            echo "goreleaser_file=.goreleaser-fips.yaml" >> $GITHUB_ENV
           elif [ ${{github.event.pull_request.user.login == 'dependabot[bot]' }} ]; then
             echo "goreleaser_args=--snapshot --clean --skip=publish,validate,sign --timeout 2h" >> $GITHUB_ENV
+            echo "goreleaser_file=.goreleaser.yaml" >> $GITHUB_ENV
           else
             echo "goreleaser_args=--snapshot --clean --skip=publish,validate --timeout 2h" >> $GITHUB_ENV
+            echo "goreleaser_file=.goreleaser.yaml" >> $GITHUB_ENV
           fi
 
+      - name: Generate binary cache key
+        id: generate_binary_key
+        run: |
+          BINARY_HASH="${{ hashFiles(
+            format('distributions/{0}/.goreleaser*.yaml', inputs.distribution),
+            format('distributions/{0}/_build*/*', inputs.distribution)
+          ) }}"
+          ARGS_HASH=$(echo "${{ env.goreleaser_args }}" | sha256sum | cut -d' ' -f1)
+          echo binary_key=goreleaser-build-${{ inputs.distribution }}-${ARGS_HASH}-${BINARY_HASH} >> $GITHUB_OUTPUT
+
+      - name: Cache goreleaser build
+        id: cache-goreleaser
+        if: ${{ env.caching_enabled }}
+        uses: actions/cache@v4
+        with:
+          path: |
+            distributions/${{ inputs.distribution }}/dist
+          key: ${{ steps.generate_binary_key.outputs.binary_key }}
+
       - name: Build binaries & packages with GoReleaser
+        if: steps.cache-goreleaser.outputs.cache-hit != 'true'
         id: goreleaser
         uses: goreleaser/goreleaser-action@v6
         env:
@@ -197,10 +192,24 @@ jobs:
           version: '2.11.2'
           args: ${{ env.goreleaser_args }}
           workdir: distributions/${{ inputs.distribution }}
+      
+      - name: Skip GoReleaser build (cached)
+        if: steps.cache-goreleaser.outputs.cache-hit == 'true'
+        run: echo "✅ GoReleaser build skipped - using cached binaries"
 
+      - name: Validate GoReleaser build
+        run: ./scripts/validate-goreleaser-build.sh -d ${{ inputs.distribution }}
+          
       - name: Extract relevant metadata
         run: |
-          VERSION=$(echo '${{ steps.goreleaser.outputs.metadata }}' | jq -r '.version')
+          if [ "${{ steps.cache-goreleaser.outputs.cache-hit }}" = "true" ]; then
+            VERSION=$(jq -r '.version' distributions/${{ inputs.distribution }}/dist/metadata.json)
+            echo "Using cached version: $VERSION"
+          else
+            # Extract from fresh GoReleaser build
+            VERSION=$(echo '${{ steps.goreleaser.outputs.metadata }}' | jq -r '.version')
+            echo "Using fresh build version: $VERSION"
+          fi
           ARCH=$(echo '${{ runner.arch }}' | sed 's/X/amd/g')
           ARCH=${ARCH@L}
           echo "version=$VERSION" >> $GITHUB_ENV
@@ -215,6 +224,45 @@ jobs:
             echo "image_tag=$VERSION-$ARCH" >> $GITHUB_ENV
           fi
 
+      - name: Copy GoReleaser binary to Docker context
+        id: copy-binary
+        if: steps.cache-goreleaser.outputs.cache-hit == 'true'
+        run: |
+          cd distributions/${{ inputs.distribution }}
+          BINARY_PATH="$(find dist -name "${{ inputs.distribution }}*_linux_${{ env.arch }}*" -type d)/${{ inputs.distribution }}"
+          if [ ${{ inputs.fips }} = "true" ]; then
+            BINARY_PATH+="-fips"
+          fi
+          if [ ! -f "$BINARY_PATH" ]; then
+            echo "❌ Error: Binary not found at $BINARY_PATH"
+            find dist -name "*${{ inputs.distribution }}*" -type f
+            exit 1
+          fi
+          # move dockerfile dependencies to .tmp for easy cleanup when running in Act
+          BINARY_TMP="${{ runner.temp }}/docker/${{ inputs.distribution }}"
+          if [ ${{ inputs.fips }} = "true" ]; then
+            BINARY_TMP+="-fips"
+          fi
+          mkdir -p ${BINARY_TMP}
+          cp "$BINARY_PATH" "${BINARY_TMP}/${{ inputs.distribution }}"
+          cp Dockerfile ${BINARY_TMP}
+          for file in $(yq ".dockers[] | select(.goarch == \"${{ env.arch }}\") | .extra_files[]" ${{ env.goreleaser_file }}); do
+            cp "${file}" ${BINARY_TMP}
+          done
+          echo "✅ Binary copied: $(ls -la ${BINARY_TMP})"
+          echo "binary_tmp=${BINARY_TMP}" >> $GITHUB_OUTPUT
+
+      - name: Build and load Docker image
+        uses: docker/build-push-action@v5
+        if: steps.cache-goreleaser.outputs.cache-hit == 'true'
+        with:
+          context: ${{ steps.copy-binary.outputs.binary_tmp }}
+          platforms: linux/${{ env.arch }}
+          push: false
+          load: true
+          tags: |
+            ${{ secrets.registry }}/${{ inputs.distribution }}:${{ env.image_tag }}
+
       - name: Validate Usage of BoringCrypto
         if: inputs.fips
         run: |
diff --git a/scripts/validate-goreleaser-build.sh b/scripts/validate-goreleaser-build.sh
@@ -0,0 +1,97 @@
+#!/bin/bash
+# Script to validate a goreleaser distribution's dist file
+set -e
+
+while getopts d: flag
+do
+    case "${flag}" in
+        d) distro=${OPTARG};;
+        *) exit 1;;
+    esac
+done
+
+if [ -z ${distro} ]; then
+    echo "Distribution not provided. Please provide a distribution with -d."
+    exit 1
+fi
+
+cd "distributions/${distro}"
+if [ ! -d "dist" ]; then
+    echo "❌ dist directory not found!"
+    exit 1
+fi
+
+echo "📋 Verifying metadata files exist..."
+files=("dist/artifacts.json" "dist/metadata.json")
+missing_files=()
+for file in "${files[@]}"; do
+    if [ ! -f "$file" ]; then
+        missing_files+=("$file")
+    else
+        echo "Found: $file"
+    fi
+done
+if [ ${#missing_files[@]} -ne 0 ]; then
+    echo "❌ files not found: ${missing_files[*]}"
+    exit 1
+else
+    echo "✅ All common build files found!"
+fi
+
+echo "📋 Verifying Binaries exist..."
+binaries=$( jq -r '.[] | select(.type == "Binary") | .path' dist/artifacts.json )
+if [ -z "${binaries}" ]; then
+    echo "❌ No binaries found in artifacts.json"
+    exit 1
+else
+    for binary in $binaries; do
+        if [ ! -f "${binary}" ]; then
+            echo "❌ ${binary} not found!"
+            exit 1
+        else
+            echo "Found: ${binary}"
+        fi
+    done
+fi
+echo "✅ All binaries found!"
+
+echo "📋 Validating Archives and Packages..."
+artifacts=$( jq -r '.[] | select(.type == "Archive" or .type == "Linux Package") | .path' dist/artifacts.json )
+if [ -z "${artifacts}" ]; then
+    echo "⚠️ No archives or packages found in artifacts.json"
+else
+    for artifact in $artifacts; do
+        echo "Validating ${artifact}"
+        # Verify the artifact file exists
+        if [ ! -f "${artifact}" ]; then
+            echo "❌ ${artifact} not found!"
+            exit 1
+        else
+            echo "  Found artifact: ${artifact}"
+        fi
+        # Search for the corresponding checksum file and verify it exists
+        sum_file=$( jq -r ".[] | select(.type == \"Checksum\" and .extra.ChecksumOf == \"${artifact}\") | .path" dist/artifacts.json )
+        if [ -z "${sum_file}" ]; then
+            echo "❌ Checksum not defined for ${artifact} in artifacts.json"
+            exit 1
+        fi
+        if [ ! -f "${sum_file}" ]; then
+            echo "❌ ${sum_file} not found!"
+            exit 1
+        else
+            echo "  Found checksum: ${sum_file}"
+        fi
+        # Compare checksums to ensure file integrity
+        artifact_sum=$(sha256sum ${artifact} | cut -d' ' -f1)
+        expected_sum=$(cat ${sum_file})
+        if [ "${artifact_sum}" != "${expected_sum}" ]; then
+            echo "❌ Checksums do not match!"
+            echo "Checksum: ${artifact_sum}"
+            echo "Expected: ${expected_sum}"
+            exit 1
+        else
+            echo "  Checksum validated"
+        fi
+    done
+    echo "✅ Archives and Packages validated!"
+fi
diff --git a/scripts/validate-source-files.sh b/scripts/validate-source-files.sh
@@ -0,0 +1,54 @@
+#!/bin/bash
+# Simple script to validate whether a distribution's OCB-generated source files exist.
+set -e
+
+# default values
+fips=false
+
+while getopts d:f: flag
+do
+    case "${flag}" in
+        d) distro=${OPTARG};;
+        f) fips=${OPTARG};;
+        *) exit 1;;
+    esac
+done
+
+if [ -z ${distro} ]; then
+    echo "Distribution not provided. Please provide a distribution with -d."
+    exit 1
+fi
+
+path="distributions/${distro}/_build"
+if [ ${fips} = true ]; then
+    path="${path}-fips"
+fi
+if [ ! -d "$path" ]; then
+    echo "❌ $path not found!"
+    exit 1
+fi
+cd "$path"
+
+files=(
+    "build.log" "components.go" "go.mod" "go.sum"
+    "main_others.go" "main_windows.go" "main.go"
+)
+if [ ${fips} = true ]; then
+    files+=("fips.go")
+fi
+missing_files=()
+
+for file in "${files[@]}"; do
+    if [ ! -f "$file" ]; then
+        missing_files+=("$file")
+    else
+        echo "Found: $file"
+    fi
+done
+
+if [ ${#missing_files[@]} -eq 0 ]; then
+    echo "✅ All source files found!"
+else
+    echo "❌ files not found: ${missing_files[*]}"
+    exit 1
+fi
