diff --git a/.claude/agent-memory/archgate-developer/project_release_pipeline_gotchas.md b/.claude/agent-memory/archgate-developer/project_release_pipeline_gotchas.md index 05810fe6..c55db182 100644 --- a/.claude/agent-memory/archgate-developer/project_release_pipeline_gotchas.md +++ b/.claude/agent-memory/archgate-developer/project_release_pipeline_gotchas.md @@ -8,7 +8,7 @@ metadata: Four distinct issues caused shim/binary publishing failures across v0.45.1–v0.46.1, fixed in `fix/publish-shims-race`: 1. **Workflow race**: `publish-shims.yml` and `release-binaries.yml` both triggered on `release: published`. If binaries needed a retry, `publish-shims.yml`'s fixed-budget `wait-for-binaries` poll timed out and went `cancelled` (terminal) before the retry finished. Fixed: `publish-shims.yml` is now `workflow_dispatch`-only; `release-binaries.yml`'s `trigger-shim-publish` job dispatches it via `gh workflow run` after binaries + provenance succeed. -2. **`moonrepo/setup-toolchain` cache bug**: right after a `.prototools` bump, the first macOS/Windows CI run can restore a stale `restore-key` cache fallback instead of an exact hit — the action reports success but `bun` isn't on PATH. Log signature: `Cache hit for restore-key:` (vs. exact `Cache hit for:`). Self-heals on retry (the failing job still saves a fresh exact-key cache in post-job cleanup). No code fix — just don't chase it as flakiness. +2. **`moonrepo/setup-toolchain` cache bug** (fixed 2026-07-07): The cache key (`moonrepo-toolchain-v3-{os}-{arch}-{prototools-hash}`) doesn't include runner image version. When GitHub migrates a runner (e.g. `macos-latest` from macOS 15 to macOS 26), stale caches serve broken shims — proto reports "Bun X installed" (from cache, no download) but the shim doesn't resolve. Log signature: install line has no "Downloading" sub-line, then `bun: command not found`. **Fix:** all `moonrepo/setup-toolchain` invocations now use `cache-version: ${{ env.ImageOS }}` — the `ImageOS` env var (e.g. `macos26`, `ubuntu24`, `win22`) is set by GitHub runners and auto-invalidates when the OS version changes. Locations: `release-binaries.yml`, `release.yml` (3x), `update-lock.yaml`, `update-llms.yaml`, and the composite action `.github/actions/setup-bun-project/action.yml` (used by `code-pull-request.yml` and smoke tests). 3. **Update-check stdout pollution**: `src/cli.ts` printed a background "update available" notice to stdout after every command, unconditionally. Broke `JSON.parse(stdout)` in CLI-subprocess tests (and would break real `| jq` usage) whenever a newer release existed. Fixed via `shouldPerformUpdateCheck()` in `src/helpers/update-check.ts` — only checks in a genuine TTY, non-CI, non-`upgrade` session. 4. **`publish-go-tag`'s `git push origin shims/go/$TAG` was rejected** with "refusing to allow a GitHub App to create or update workflow ... without workflows permission" (GitHub blocks ref pushes reachable through commits touching `.github/workflows/*`, even for an unrelated tag) on v0.45.7. **Correction (2026-07-03):** the original fix — adding `workflows: write` to the job's `permissions:` — does nothing: `workflows` is not a valid `permissions:`-key scope (confirmed against GitHub's own workflow syntax docs and actionlint's schema), so it was silently ignored rather than granting anything. Removed the invalid key; `contents: write` alone remains. Whether the underlying push rejection is actually resolved is **unverified** — if it recurs, the real fix needs a PAT with the classic `workflow` OAuth scope (as a secret) or a GitHub App installation token whose App has the Workflows permission explicitly configured, since neither is expressible via the workflow's own `permissions:` key. Watch the next real release's `publish-go-tag` job log. diff --git a/.github/actions/setup-bun-project/action.yml b/.github/actions/setup-bun-project/action.yml index c3b4b79b..7874b732 100644 --- a/.github/actions/setup-bun-project/action.yml +++ b/.github/actions/setup-bun-project/action.yml @@ -10,7 +10,6 @@ inputs: description: Base branch for moonrepo toolchain cache required: false default: "" - runs: using: composite steps: @@ -19,6 +18,7 @@ runs: auto-install: true cache: ${{ inputs.cache }} cache-base: ${{ inputs.cache-base }} + cache-version: ${{ env.ImageOS }} - name: Install dependencies shell: bash run: bun install --frozen-lockfile diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml index de299427..4129e8ba 100644 --- a/.github/workflows/release-binaries.yml +++ b/.github/workflows/release-binaries.yml @@ -49,6 +49,7 @@ jobs: - uses: moonrepo/setup-toolchain@261c62cb5b0f580c7be7c8cd0f023a2e96756095 # v0 with: auto-install: true + cache: false - run: bun install --frozen-lockfile diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5f4a8989..59a461ba 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -45,6 +45,7 @@ jobs: auto-install: true cache: true cache-base: main + cache-version: ${{ env.ImageOS }} - name: Restore Bun Package Cache id: restore-bun-cache uses: actions/cache/restore@caa296126883cff596d87d8935842f9db880ef25 # v5 @@ -92,6 +93,7 @@ jobs: auto-install: true cache: true cache-base: main + cache-version: ${{ env.ImageOS }} - name: Restore Bun Package Cache id: restore-bun-cache uses: actions/cache/restore@caa296126883cff596d87d8935842f9db880ef25 # v5 @@ -145,6 +147,7 @@ jobs: auto-install: true cache: true cache-base: main + cache-version: ${{ env.ImageOS }} - name: Restore Bun Package Cache id: restore-bun-cache uses: actions/cache/restore@caa296126883cff596d87d8935842f9db880ef25 # v5 diff --git a/.github/workflows/update-llms.yaml b/.github/workflows/update-llms.yaml index df54ea3d..ee03ad71 100644 --- a/.github/workflows/update-llms.yaml +++ b/.github/workflows/update-llms.yaml @@ -39,6 +39,7 @@ jobs: auto-install: true cache: true cache-base: main + cache-version: ${{ env.ImageOS }} - name: Install dependencies run: bun install --frozen-lockfile - name: Regenerate llms-full.txt diff --git a/.github/workflows/update-lock.yaml b/.github/workflows/update-lock.yaml index 5764a1c7..f80647f5 100644 --- a/.github/workflows/update-lock.yaml +++ b/.github/workflows/update-lock.yaml @@ -38,6 +38,7 @@ jobs: auto-install: true cache: true cache-base: main + cache-version: ${{ env.ImageOS }} - name: Update locks run: bun install --lockfile-only - name: Commit changes