ci: single-source the llvm tag so key and URL can't drift

The git-clang-format cache key and fetch URL each hardcoded llvmorg-19.1.7. A future one-sided version bump would leave the cache serving the old driver under a stale key. Pull the tag into an LLVM_TAG job env, mirroring how the lint job already single-sources SHFMT_VERSION. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: Xavier Roche <roche@httrack.com>
ci: log cache hit vs cold fetch for both cached tools
2026-06-16 23:33:18 +03:00 · 2026-06-16 21:44:18 +02:00 · 2026-06-16 21:39:38 +02:00 · 2026-06-16 21:38:51 +02:00 · 2026-06-16 21:34:47 +02:00 · 2026-06-16 21:32:24 +02:00
1 changed files with 47 additions and 11 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -320,20 +320,37 @@ jobs:
  lint:
    name: lint (shellcheck, shfmt)
    runs-on: ubuntu-24.04
+    env:
+      SHFMT_VERSION: v3.8.0
    steps:
      - uses: actions/checkout@v6

+      # shfmt is a pinned release binary, so it never changes: cache it keyed on
+      # the version. Same rationale as the git-clang-format driver below -- avoid
+      # re-downloading an unchanging file from github.com on every run.
+      - name: Cache shfmt binary
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/shfmt/shfmt
+          key: shfmt-${{ env.SHFMT_VERSION }}-${{ runner.arch }}
+
      - name: Install linters
-        env:
-          SHFMT_VERSION: v3.8.0
        run: |
          set -euo pipefail
          sudo apt-get update
          sudo apt-get install -y --no-install-recommends shellcheck
-          # shfmt is not packaged in apt; fetch a pinned release binary.
-          curl -fsSL -o /tmp/shfmt \
-            "https://github.com/mvdan/sh/releases/download/${SHFMT_VERSION}/shfmt_${SHFMT_VERSION}_linux_$(dpkg --print-architecture)"
-          sudo install -m 0755 /tmp/shfmt /usr/local/bin/shfmt
+          # shfmt is not packaged in apt; fetch a pinned release binary (cold
+          # cache only), retrying through transient errors.
+          shfmt="$HOME/.cache/shfmt/shfmt"
+          if [ ! -s "$shfmt" ]; then
+            echo "shfmt cache MISS: fetching ${SHFMT_VERSION} from github.com"
+            mkdir -p "$(dirname "$shfmt")"
+            curl --retry 5 --retry-all-errors -fsSL -o "$shfmt" \
+              "https://github.com/mvdan/sh/releases/download/${SHFMT_VERSION}/shfmt_${SHFMT_VERSION}_linux_$(dpkg --print-architecture)"
+          else
+            echo "shfmt cache HIT: using cached ${SHFMT_VERSION}"
+          fi
+          sudo install -m 0755 "$shfmt" /usr/local/bin/shfmt

      # Lint the scripts we maintain; the legacy scripts are a separate cleanup.
      - name: shellcheck
@@ -349,11 +366,24 @@ jobs:
    name: format (clang-format-19, changed lines)
    if: github.event_name == 'pull_request'
    runs-on: ubuntu-24.04
+    env:
+      # Single-source the tag so the cache key and the fetch URL can never drift.
+      LLVM_TAG: llvmorg-19.1.7
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 0

+      # The git-clang-format driver is pinned to an immutable release tag, so the
+      # fetched file never changes: cache it keyed on the tag. raw.githubusercontent.com
+      # 429-rate-limits the shared runner egress IPs, and re-downloading an unchanging
+      # file every run was the only thing that could (and did) hit that limit.
+      - name: Cache git-clang-format driver
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/git-clang-format/git-clang-format
+          key: git-clang-format-${{ env.LLVM_TAG }}
+
      - name: Install clang-format 19 (pinned, from apt.llvm.org)
        run: |
          set -euo pipefail
@@ -364,11 +394,17 @@ jobs:
            | sudo tee /etc/apt/sources.list.d/llvm-19.list >/dev/null
          sudo apt-get update
          sudo apt-get install -y --no-install-recommends clang-format-19
-          # git-clang-format driver, pinned to an immutable release tag (not a
-          # moving branch) since we curl and then execute it.
-          sudo curl -fsSL -o /usr/local/bin/git-clang-format \
-            https://raw.githubusercontent.com/llvm/llvm-project/llvmorg-19.1.7/clang/tools/clang-format/git-clang-format
-          sudo chmod 0755 /usr/local/bin/git-clang-format
+          # Cold cache only: fetch the driver, retrying through transient 429s.
+          driver="$HOME/.cache/git-clang-format/git-clang-format"
+          if [ ! -s "$driver" ]; then
+            echo "git-clang-format cache MISS: fetching ${LLVM_TAG} from raw.githubusercontent.com"
+            mkdir -p "$(dirname "$driver")"
+            curl --retry 5 --retry-all-errors -fsSL -o "$driver" \
+              "https://raw.githubusercontent.com/llvm/llvm-project/${LLVM_TAG}/clang/tools/clang-format/git-clang-format"
+          else
+            echo "git-clang-format cache HIT: using cached ${LLVM_TAG}"
+          fi
+          sudo install -m 0755 "$driver" /usr/local/bin/git-clang-format
          clang-format-19 --version

      - name: Check formatting of changed lines
Author	SHA1	Message	Date
Xavier Roche	90847cf083	ci: single-source the llvm tag so key and URL can't drift The git-clang-format cache key and fetch URL each hardcoded llvmorg-19.1.7. A future one-sided version bump would leave the cache serving the old driver under a stale key. Pull the tag into an LLVM_TAG job env, mirroring how the lint job already single-sources SHFMT_VERSION. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: Xavier Roche <roche@httrack.com>	2026-06-16 21:44:18 +02:00
Xavier Roche	1611add5a9	ci: log cache hit vs cold fetch for both cached tools Print an explicit HIT/MISS line in each install step so the job log shows whether the binary came from the cache or was downloaded. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: Xavier Roche <roche@httrack.com>	2026-06-16 21:39:38 +02:00
Xavier Roche	92f4ea044b	ci: cache the shfmt binary too shfmt has the same shape as the git-clang-format driver: a pinned, immutable release binary curled from github.com on every lint run. Cache it keyed on the pinned version (and arch) so it is fetched at most once, and retry the cold fetch through transient errors -- so the lint job stops depending on a github.com download succeeding on every PR run. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: Xavier Roche <roche@httrack.com>	2026-06-16 21:38:51 +02:00
Xavier Roche	4344801983	ci: cache the git-clang-format driver instead of refetching it every run The format job downloaded git-clang-format from raw.githubusercontent.com on every run. The URL is pinned to an immutable tag (llvmorg-19.1.7), so the file never changes, yet the repeated fetch was the one thing in the job that could hit raw.githubusercontent.com's per-IP rate limit -- and on shared runner egress IPs it did, failing the job with curl 429 (apt.llvm.org was fine; only the step name suggested otherwise). Cache the driver keyed on the tag so it is fetched at most once, and retry the cold fetch through transient 429s with curl --retry --retry-all-errors. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: Xavier Roche <roche@httrack.com>	2026-06-16 21:34:47 +02:00
Xavier Roche	25b9a53c89	Merge pull request #372 from xroche/cleanup/htsparse-bounds Bound htsparse.c pointer-destination buffer writes	2026-06-16 21:32:24 +02:00