feature: bring back action runners

[rgrinberg]

Bring back action runners and use them in conjunction with bubble wrap to make it impossible to modify the shared cache.

I'm going to enable this through the makefile for folks on the dev team to get some beta testing. If all goes well, it should be available for 3.24.

@anmonteiro I've been told that sandbox-exec offers comparable functionality on macos. It would be good to have this as an alternative to bwrap.

Work Included

• Add --action-runner and the internal action-runner worker command.
• Add --sandbox-actions, which runs eligible actions through a bubblewrap-wrapped
  worker and protects the shared cache from worker writes.
• Extend process execution with a path-based runner hook, runner-safe metadata,
  output/capture handling, and parent-owned trace events.
• Add action eligibility plumbing (Allow_action_runner, can_run_in_action_runner,
  runs_process) for user actions, cram tests, pp/ppx, inline tests, and selected
  action extensions.
• Add RPC protocol/server support for runner ready/exec/cancel requests,
  per-generation lifecycle tracking, disconnect handling, and build-cancellation
  propagation.
• Add trace events and inherited trace-fd support for worker lifecycle and
  process events.
• Account for sandbox-actions in rule digests only for actions that spawn
  processes.
• Add black-box coverage for runner execution, failures, disconnects,
  cancellation, watch shutdown, tracing, and sandboxed actions.

[Alizter]

Suggested change

	| Some active when active.run_id = run_id && active.count > 1 ->
	active.count <- active.count - 1;
	Fiber.return ()
	| Some active when active.run_id = run_id && active.count = 1 ->
	| Some active when Run_id.equal active.run_id run_id && active.count > 1 ->
	active.count <- active.count - 1;
	Fiber.return ()
	| Some active when Run_id.equal active.run_id run_id && active.count = 1 ->

[Alizter]

What's the reason for storing this separately? Isn't it just Option.is_none path?

[Alizter]

Wondering if out.path and Owened / Borrowed should just be tied together.

Something like Owned of Path.t | Borrowed for both?

[Alizter]

I've noticed that quite a few sets of rules don't pass ~can_run_in_action_runner:true at the moment. What is the reason for excluding them here? Do you plan to include them eventually? I'd even suggest we make this argument non-optional in command.ml so that we can explicitly track it.

[Alizter]

Why remove this comment? Is it stale?

[Alizter]

Could you add a test demonstrating that --action-runner leaves the rule digest invariant.

[Alizter]

I'm going to enable this through the makefile for folks on the dev team to get some beta testing. If all goes well, it should be available for 3.24.

FYI this isn't currently done.

[Alizter]

I've had an initial look through the implementation, paying special attention to the changes to build_system and the trace and things look good. I've made some comments as I was passing through.

Needs a changes entry.

I'll do another pass tomorrow.

[rgrinberg]

What is the reason for excluding them here? Do you plan to include them eventually? I'd even suggest we make this argument non-optional in command.ml so that we can explicitly track it.

The goal is to sandbox all unsafe actions. For now, that includes preprocessors and user defined actions. I do not plan to use action runners for ocamldep, ocamlopt or anything else that is performance sensitive or is white listed.

[Alizter]

What is the reason for excluding them here? Do you plan to include them eventually? I'd even suggest we make this argument non-optional in command.ml so that we can explicitly track it.

The goal is to sandbox all unsafe actions. For now, that includes preprocessors and user defined actions. I do not plan to use action runners for ocamldep, ocamlopt or anything else that is performance sensitive or is white listed.

Could you document this intent in somewhere like command.mli or action_runner.mli since this was not apparent in my first read and would be important to mention.