BUILD-10699: Adds fallback-to-default-branch option for setting restore-keys #198
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Test | |
| on: | |
| push: | |
| branches: [ master ] | |
| pull_request: | |
| workflow_dispatch: | |
| jobs: | |
| test-github-cache: | |
| runs-on: github-ubuntu-latest-s | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: jdx/mise-action@c37c93293d6b742fc901e1406b8f764f6fb19dac # v2.4.4 | |
| with: | |
| version: 2025.7.12 | |
| - name: Cache Python dependencies | |
| id: cache-python | |
| uses: ./ | |
| with: | |
| path: ~/.cache/pip | |
| key: python-${{ runner.os }}-pytest-requests | |
| restore-keys: python-${{ runner.os }}- | |
| backend: github | |
| - name: Check cache hit result | |
| run: | | |
| echo "Cache hit: ${{ steps.cache-python.outputs.cache-hit }}" | |
| if [ "${{ steps.cache-python.outputs.cache-hit }}" == "true" ]; then | |
| echo "✅ Cache was found and restored" | |
| else | |
| echo "❌ Cache was not found, will need to rebuild" | |
| fi | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install pytest requests | |
| - name: Run tests | |
| run: python -m pytest --version | |
| test-s3-cache: | |
| runs-on: github-ubuntu-latest-s | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: jdx/mise-action@c37c93293d6b742fc901e1406b8f764f6fb19dac # v2.4.4 | |
| with: | |
| version: 2025.7.12 | |
| - name: Cache Python dependencies | |
| id: cache-python | |
| uses: ./ | |
| with: | |
| path: ~/.cache/pip | |
| key: python-${{ runner.os }}-pytest-requests | |
| restore-keys: python-${{ runner.os }}- | |
| environment: dev | |
| backend: s3 | |
| - name: Check cache hit result | |
| run: | | |
| echo "Cache hit: ${{ steps.cache-python.outputs.cache-hit }}" | |
| if [ "${{ steps.cache-python.outputs.cache-hit }}" == "true" ]; then | |
| echo "✅ Cache was found and restored" | |
| else | |
| echo "❌ Cache was not found, will need to rebuild" | |
| fi | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install pytest requests | |
| - name: Run tests | |
| run: python -m pytest --version | |
| test-s3-cache-with-fallback: | |
| runs-on: github-ubuntu-latest-s | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: jdx/mise-action@c37c93293d6b742fc901e1406b8f764f6fb19dac # v2.4.4 | |
| with: | |
| version: 2025.7.12 | |
| - name: Cache Go modules with multiple restore keys | |
| id: cache-go | |
| uses: ./ | |
| with: | |
| path: | | |
| ~/go/pkg/mod | |
| ~/.cache/go-build | |
| key: go-${{ runner.os }}-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| go-${{ runner.os }}-${{ hashFiles('**/go.mod') }} | |
| go-${{ runner.os }}- | |
| fail-on-cache-miss: false | |
| fallback-branch: refs/heads/branch-2 | |
| environment: dev | |
| backend: s3 | |
| - name: Check Go cache hit result | |
| run: | | |
| echo "Go cache hit: ${{ steps.cache-go.outputs.cache-hit }}" | |
| if [ "${{ steps.cache-go.outputs.cache-hit }}" == "true" ]; then | |
| echo "✅ Go cache was found and restored" | |
| else | |
| echo "❌ Go cache was not found, will need to rebuild" | |
| fi | |
| - name: Create simple Go module | |
| run: | | |
| go mod init example | |
| echo 'package main | |
| import "fmt" | |
| func main() { | |
| fmt.Println("Hello, World!") | |
| }' > main.go | |
| - name: Download dependencies | |
| run: go mod download | |
| - name: Build | |
| run: go build -o hello main.go | |
| test-s3-cache-with-credential-interference: | |
| runs-on: github-ubuntu-latest-s | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: jdx/mise-action@c37c93293d6b742fc901e1406b8f764f6fb19dac # v2.4.4 | |
| with: | |
| version: 2025.7.12 | |
| # Step 1: Use our cache action (should restore and later save) | |
| - name: Cache with S3 | |
| id: cache-test | |
| uses: ./ | |
| with: | |
| path: ~/.cache/pip | |
| key: interference-test-${{ runner.os }}-${{ github.run_id }} | |
| restore-keys: interference-test-${{ runner.os }}- | |
| environment: dev | |
| backend: s3 | |
| # Step 2: Simulate user overwriting AWS credentials | |
| # This is the scenario that caused production failures | |
| - name: Overwrite AWS credentials (simulating user workflow) | |
| run: | | |
| echo "AWS_ACCESS_KEY_ID=FAKE_KEY_TO_OVERRIDE" >> "$GITHUB_ENV" | |
| echo "AWS_SECRET_ACCESS_KEY=FAKE_SECRET_TO_OVERRIDE" >> "$GITHUB_ENV" | |
| echo "AWS_SESSION_TOKEN=FAKE_TOKEN_TO_OVERRIDE" >> "$GITHUB_ENV" | |
| echo "Simulated credential override via GITHUB_ENV" | |
| # Step 3: Create something to cache | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install pytest requests | |
| # Post-step: credential-guard restores real creds, then runs-on/cache saves | |
| # If this job succeeds, the credential guard is working correctly | |
| # Reproduces: "Unable to parse config file C:\Users\runneradmin/.aws/config" | |
| # https://github.com/SonarSource/peachee-cfamily/actions/runs/21646222381/job/62398839588#step:26:263 | |
| test-s3-cache-windows: | |
| runs-on: github-windows-latest-s | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Cache with S3 on Windows | |
| id: cache-test | |
| uses: ./ | |
| with: | |
| path: ~\AppData\Local\pip\Cache | |
| key: windows-test-${{ runner.os }}-${{ github.run_id }} | |
| restore-keys: windows-test-${{ runner.os }}- | |
| environment: dev | |
| backend: s3 | |
| - name: Create something to cache | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install requests | |
| # Reproduces: ~/.aws/config corruption from multiple credential_process entries | |
| test-s3-cache-multiple-invocations: | |
| runs-on: github-ubuntu-latest-s | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: jdx/mise-action@c37c93293d6b742fc901e1406b8f764f6fb19dac # v2.4.4 | |
| with: | |
| version: 2025.7.12 | |
| # First cache invocation | |
| - name: Cache pip dependencies | |
| id: cache-pip | |
| uses: ./ | |
| with: | |
| path: ~/.cache/pip | |
| key: multi-pip-${{ runner.os }}-${{ github.run_id }} | |
| restore-keys: multi-pip-${{ runner.os }}- | |
| environment: dev | |
| backend: s3 | |
| # Second cache invocation in same job | |
| # Old approach would append duplicate profile to ~/.aws/config | |
| - name: Cache npm dependencies | |
| id: cache-npm | |
| uses: ./ | |
| with: | |
| path: ~/.npm | |
| key: multi-npm-${{ runner.os }}-${{ github.run_id }} | |
| restore-keys: multi-npm-${{ runner.os }}- | |
| environment: dev | |
| backend: s3 | |
| - name: Create something to cache | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install pytest | |
| npm init -y | |
| # Reproduces: pre-existing AWS config from configure-aws-credentials | |
| # https://github.com/SonarSource/sonarsource-iam/actions/runs/21951781857/job/63404298650#step:5:9 | |
| test-s3-cache-with-preset-aws-config: | |
| runs-on: github-ubuntu-latest-s | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: jdx/mise-action@c37c93293d6b742fc901e1406b8f764f6fb19dac # v2.4.4 | |
| with: | |
| version: 2025.7.12 | |
| # Simulate pre-existing AWS config (as if configure-aws-credentials ran before) | |
| - name: Create pre-existing AWS config | |
| run: | | |
| mkdir -p ~/.aws | |
| cat <<'AWSCONFIG' > ~/.aws/config | |
| [default] | |
| region = us-east-1 | |
| output = json | |
| [profile some-other-profile] | |
| region = us-west-2 | |
| AWSCONFIG | |
| cat <<'AWSCREDS' > ~/.aws/credentials | |
| [default] | |
| aws_access_key_id = AKIAFAKEDEFAULT | |
| aws_secret_access_key = fakesecretdefault | |
| [some-other-profile] | |
| aws_access_key_id = AKIAFAKEOTHER | |
| aws_secret_access_key = fakesecretother | |
| AWSCREDS | |
| echo "Pre-existing AWS config created" | |
| cat ~/.aws/config | |
| - name: Set conflicting AWS env vars | |
| run: | | |
| echo "AWS_ACCESS_KEY_ID=AKIAFAKEENV" >> "$GITHUB_ENV" | |
| echo "AWS_SECRET_ACCESS_KEY=fakesecretenv" >> "$GITHUB_ENV" | |
| echo "AWS_SESSION_TOKEN=faketokenenv" >> "$GITHUB_ENV" | |
| echo "AWS_PROFILE=some-other-profile" >> "$GITHUB_ENV" | |
| echo "AWS_DEFAULT_PROFILE=some-other-profile" >> "$GITHUB_ENV" | |
| # Cache action should override the conflicting credentials | |
| - name: Cache with S3 | |
| id: cache-test | |
| uses: ./ | |
| with: | |
| path: ~/.cache/pip | |
| key: preset-aws-${{ runner.os }}-${{ github.run_id }} | |
| restore-keys: preset-aws-${{ runner.os }}- | |
| environment: dev | |
| backend: s3 | |
| - name: Re-override with fake credentials (simulating mid-job auth change) | |
| run: | | |
| echo "AWS_ACCESS_KEY_ID=AKIAFAKEOVERRIDE" >> "$GITHUB_ENV" | |
| echo "AWS_SECRET_ACCESS_KEY=fakesecretoverride" >> "$GITHUB_ENV" | |
| echo "AWS_SESSION_TOKEN=faketokenoverride" >> "$GITHUB_ENV" | |
| - name: Create something to cache | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install pytest requests | |
| # Regression test: git clean -ffdx must not break credential-guard post step | |
| # Reproduces: https://github.com/SonarSource/sonar-dummy/actions/runs/21997126216 | |
| test-s3-cache-survives-git-clean: | |
| runs-on: github-ubuntu-latest-s | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: jdx/mise-action@c37c93293d6b742fc901e1406b8f764f6fb19dac # v2.4.4 | |
| with: | |
| version: 2025.7.12 | |
| - name: Cache with S3 | |
| id: cache-test | |
| uses: ./ | |
| with: | |
| path: ~/.cache/pip | |
| key: git-clean-test-${{ runner.os }}-${{ github.run_id }} | |
| restore-keys: git-clean-test-${{ runner.os }}- | |
| environment: dev | |
| backend: s3 | |
| # Simulate what actions/checkout does when clean: true (the default). | |
| # This is exactly what broke the .actions/ workspace copy approach. | |
| - name: Run git clean -ffdx (simulates actions/checkout clean) | |
| run: | | |
| git clean -ffdx | |
| echo "Workspace cleaned. Post steps should still work." | |
| - name: Create something to cache | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install pytest requests | |
| # SUCCESS: credential-guard post step runs, then runs-on/cache saves to S3 |