From e9625f50e85cc1b3410c2ee619dadae785f81e82 Mon Sep 17 00:00:00 2001
From: Jonathan Matthews <github@hello.jonathanmatthews.com>
Date: Tue, 29 Oct 2024 17:46:02 +0000
Subject: [PATCH] _scripts/cacheWarm: warm the CUE dependency cache

This adds a script that warms the CUE dependency cache, using
credentials for the central registry passed in via the
CUELANG_CUE_LOGINS environment variable.

This is primarily to solve the problem of CUE needing access to these
CUE dependencies during the Netlify build stage that's executed by
production deployments, tip deployments, and PR previews.

The trybot CI workflow is updated to call this script directly, as the
logic is identical but the sequencing is different (CI needs the cache
warmed sooner than the build.bash script is invoked).

Signed-off-by: Jonathan Matthews <github@hello.jonathanmatthews.com>
Change-Id: I63dacf1fe0f250a72750a9f3886ff8fb61436671
Dispatch-Trailer: {"type":"trybot","CL":1203266,"patchset":4,"ref":"refs/changes/66/1203266/4","targetBranch":"master"}
---
 .github/workflows/trybot.yaml |  8 ++------
 _scripts/build.bash           | 12 +++++++++++-
 _scripts/cacheWarm.bash       | 13 +++++++++++++
 internal/ci/github/trybot.cue |  9 ++-------
 4 files changed, 28 insertions(+), 14 deletions(-)
 create mode 100755 _scripts/cacheWarm.bash

diff --git a/.github/workflows/trybot.yaml b/.github/workflows/trybot.yaml
index 4fa4183726..839e5b167e 100644
--- a/.github/workflows/trybot.yaml
+++ b/.github/workflows/trybot.yaml
@@ -171,12 +171,8 @@ jobs:
         run: _scripts/checkContent.bash
       - name: Populate CUE dependency cache
         env:
-          CUE_LOGINS: ${{ secrets.NOTCUECKOO_CUE_LOGINS }}
-        run: |-
-          export CUE_CONFIG_DIR="$(mktemp -d)"
-          echo "$CUE_LOGINS" >"$CUE_CONFIG_DIR/logins.json"
-          go run cuelang.org/go/cmd/cue mod tidy --check
-          rm -rfv "${CUE_CONFIG_DIR}"
+          CUELANG_CUE_LOGINS: ${{ secrets.NOTCUECKOO_CUE_LOGINS }}
+        run: _scripts/cacheWarm.bash
       - name: Check site CUE configuration
         run: _scripts/runPreprocessor.bash execute --check
       - name: Regenerate
diff --git a/_scripts/build.bash b/_scripts/build.bash
index f33b8e6a4c..b24c0c3f5c 100755
--- a/_scripts/build.bash
+++ b/_scripts/build.bash
@@ -32,7 +32,10 @@ cd "$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )/.."
 #
 # * Locally, in development
 # * In CI, both as part of a trybot run, or on the default branch post submit
-# * In Netlify during deploy
+# * In Netlify, during deployment of:
+#   - the production site ("cuelang.org")
+#   - the site built against the tip of cue-lang/cue ("tip")
+#   - any PR preview
 #
 # Rather than declare a "fall-through" of logic, each environment is separately
 # handled with comments to make clear the logic/reasoning behind each flag value.
@@ -153,6 +156,13 @@ else
 
 fi
 
+# Fetch any CUE dependencies.
+if [[ "${NETLIFY:-}" == "true" ]]; then
+    export CUELANG_CUE_LOGINS
+    bash _scripts/cacheWarm.bash
+    export -n CUELANG_CUE_LOGINS
+fi
+
 # Build playground
 bash playground/_scripts/build.bash
 
diff --git a/_scripts/cacheWarm.bash b/_scripts/cacheWarm.bash
new file mode 100755
index 0000000000..f460b7cc54
--- /dev/null
+++ b/_scripts/cacheWarm.bash
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# warmCache.bash warms the CUE module cache with any CUE dependencies, so that
+# any credentials used to authenticate to the central registry only need to be
+# in scope for the duration of this script.
+
+function cleanup() { rm -rfv "${CUE_CONFIG_DIR}"; }
+
+export CUE_CONFIG_DIR="$(mktemp -d)"
+trap cleanup EXIT
+echo "$CUELANG_CUE_LOGINS" >"$CUE_CONFIG_DIR/logins.json"
+go run cuelang.org/go/cmd/cue mod tidy --check
diff --git a/internal/ci/github/trybot.cue b/internal/ci/github/trybot.cue
index 6cb19ae4d6..49889e7bc1 100644
--- a/internal/ci/github/trybot.cue
+++ b/internal/ci/github/trybot.cue
@@ -132,13 +132,8 @@ workflows: trybot: _repo.bashWorkflow & {
 			// TODO: add cache dir to CI cache when it's visible via https://cuelang.org/issue/2838.
 			githubactions.#Step & {
 				name: "Populate CUE dependency cache"
-				env: CUE_LOGINS: "${{ secrets.NOTCUECKOO_CUE_LOGINS }}"
-				run: """
-					export CUE_CONFIG_DIR="$(mktemp -d)"
-					echo "$CUE_LOGINS" >"$CUE_CONFIG_DIR/logins.json"
-					go run cuelang.org/go/cmd/cue mod tidy --check
-					rm -rfv "${CUE_CONFIG_DIR}"
-					"""
+				env: CUELANG_CUE_LOGINS: "${{ secrets.NOTCUECKOO_CUE_LOGINS }}"
+				run: "_scripts/cacheWarm.bash"
 			},
 
 			// We can perform an early check that ensures page.cue files are