fix(update-index): remove cross-job artifact, commit-index re-downloads digests

castrojo · castrojo · commit 825418c6179d · 2026-03-12T20:43:41.000-04:00
The prepared-index artifact upload/download between prepare and commit-index
was hitting transient Azure blob storage failures (5-retry timeout). The
computed index is deterministic given the same digest inputs, so commit-index
can re-download the digest artifacts from the triggering build run directly
and rerun update-index.py without any cross-job artifact transfer.

prepare is now lightweight: only downloads digests to build the e2e matrix.

Assisted-by: Claude Sonnet 4.6 via OpenCode
diff --git a/.github/workflows/update-index.yml b/.github/workflows/update-index.yml
@@ -9,6 +9,9 @@ name: Sync Flatpak Remote Index
 #
 # The gh-pages index is only committed AFTER e2e-install passes.
 # This prevents the index from pointing at a broken image that cannot be installed.
+#
+# commit-index re-downloads the digest artifacts from the triggering build run
+# and reruns update-index.py — deterministic, no cross-job artifact needed.
 
 on:
   workflow_run:
@@ -19,10 +22,9 @@ on:
 permissions: {}
 
 jobs:
-  # ── Prepare: build updated index content and derive e2e matrix ────────────
-  # Downloads per-arch digest artifacts from the triggering build run,
-  # runs update-index.py against ghcr.io, and uploads the result as an artifact.
-  # Does NOT commit to gh-pages yet — that happens only after e2e-install passes.
+  # ── Prepare: derive e2e matrix from digest artifacts ─────────────────────
+  # Downloads per-arch digest artifacts from the triggering build run and
+  # builds the matrix for e2e-install. Does NOT touch gh-pages.
   prepare:
     if: >-
       github.event.workflow_run.conclusion == 'success' &&
@@ -31,22 +33,11 @@ jobs:
        github.event.workflow_run.event == 'workflow_dispatch')
     runs-on: ubuntu-24.04
     permissions:
-      contents: read
-      packages: read
       actions: read
     outputs:
       matrix: ${{ steps.matrix.outputs.matrix }}
       has_entries: ${{ steps.matrix.outputs.has_entries }}
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-        with:
-          path: main
-
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-        with:
-          ref: gh-pages
-          path: pages
-
       - name: Download all digest artifacts from triggering run
         uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
@@ -55,48 +46,6 @@ jobs:
           run-id: ${{ github.event.workflow_run.id }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Login to ghcr.io for skopeo inspect
-        run: |
-          # update-index.py calls skopeo inspect against ghcr.io.
-          # Login required even for public packages to avoid rate limiting and
-          # to handle the window before the package is set public after first push.
-          echo "${{ secrets.GITHUB_TOKEN }}" | \
-            skopeo login ghcr.io -u "${{ github.repository_owner }}" --password-stdin
-
-      - name: Sync gh-pages before writing
-        run: |
-          cd pages
-          git fetch origin gh-pages && git rebase origin/gh-pages
-
-      - name: Update index for each app and arch
-        run: |
-          cd pages
-          shopt -s nullglob
-          for DIGEST_FILE in /tmp/digests/digest-*/digest.txt; do
-            # Extract app and arch from the artifact directory name: digest-<app>-<arch>
-            DIR=$(basename "$(dirname "${DIGEST_FILE}")")
-            # Strip leading "digest-" prefix, then split on the last "-" to get arch
-            REST="${DIR#digest-}"
-            ARCH="${REST##*-}"
-            APP="${REST%-${ARCH}}"
-            APP="${APP,,}"
-            DIGEST=$(cat "${DIGEST_FILE}")
-            echo "==> Updating index: ${APP} ${ARCH} ${DIGEST}"
-            python3 ../main/scripts/update-index.py \
-              --app "${APP}" \
-              --digest "${DIGEST}" \
-              --registry ghcr.io \
-              --repo "${{ github.repository }}/${APP}" \
-              --tags "latest"
-          done
-
-      - name: Upload prepared index as artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
-        with:
-          name: prepared-index-${{ github.run_id }}
-          path: pages/index/static
-          retention-days: 1
-
       - name: Build app+arch matrix from digest artifacts
         id: matrix
         run: |
@@ -163,7 +112,8 @@ jobs:
 
   # ── Commit index to gh-pages ──────────────────────────────────────────────
   # Only runs after e2e-install passes — the gate is enforced by needs: [e2e-install].
-  # Downloads the prepared index artifact from the prepare job and commits it.
+  # Re-downloads digest artifacts from the triggering build run and reruns
+  # update-index.py — deterministic, no cross-job artifact transfer needed.
   # Serialised via concurrency group to prevent races between concurrent builds.
   commit-index:
     needs: [prepare, e2e-install]
@@ -174,26 +124,62 @@ jobs:
     runs-on: ubuntu-24.04
     permissions:
       contents: write
+      packages: read
       actions: read
     concurrency:
       group: gh-pages-update
       cancel-in-progress: false
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
-          ref: gh-pages
+          path: main
 
-      - name: Sync gh-pages before writing
-        run: git fetch origin gh-pages && git rebase origin/gh-pages
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          ref: gh-pages
+          path: pages
 
-      - name: Download prepared index artifact
+      - name: Download all digest artifacts from triggering run
         uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
-          name: prepared-index-${{ github.run_id }}
-          path: index/static
+          pattern: digest-*
+          path: /tmp/digests
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Login to ghcr.io for skopeo inspect
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | \
+            skopeo login ghcr.io -u "${{ github.repository_owner }}" --password-stdin
+
+      - name: Sync gh-pages before writing
+        run: |
+          cd pages
+          git fetch origin gh-pages && git rebase origin/gh-pages
+
+      - name: Update index for each app and arch
+        run: |
+          cd pages
+          shopt -s nullglob
+          for DIGEST_FILE in /tmp/digests/digest-*/digest.txt; do
+            DIR=$(basename "$(dirname "${DIGEST_FILE}")")
+            REST="${DIR#digest-}"
+            ARCH="${REST##*-}"
+            APP="${REST%-${ARCH}}"
+            APP="${APP,,}"
+            DIGEST=$(cat "${DIGEST_FILE}")
+            echo "==> Updating index: ${APP} ${ARCH} ${DIGEST}"
+            python3 ../main/scripts/update-index.py \
+              --app "${APP}" \
+              --digest "${DIGEST}" \
+              --registry ghcr.io \
+              --repo "${{ github.repository }}/${APP}" \
+              --tags "latest"
+          done
 
       - name: Commit and push index
         run: |
+          cd pages
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
           git add index/static
