.github: use cigocacher for windows

Change-Id: I0d0e9b670e49e0f9abf01ff3d605cd660dd85ebb
Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>

.github/actions/go-cache/action.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+#
+# This script sets up cigocacher, but should never fail the build if unsuccessful.
+# It expects to run on a GitHub-hosted runner, and connects to cigocached over a
+# private Azure network that is configured at the runner group level in GitHub.
+#
+# Usage: ./action.sh
+# Inputs:
+#   URL: The cigocached server URL.
+# Outputs:
+#   success: Whether cigocacher was set up successfully.
+
+set -euo pipefail
+
+if [ -z "${GITHUB_ACTIONS:-}" ]; then
+    echo "This script is intended to run within GitHub Actions"
+    exit 1
+fi
+
+if [ -z "$URL" ]; then
+    echo "No cigocached URL is set, skipping cigocacher setup"
+    exit 0
+fi
+
+JWT="$(curl -sSL -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=gocached" | jq -r .value)"
+# cigocached serves a TLS cert with an FQDN, but DNS is based on VM name.
+HOST_AND_PORT="${URL#http*://}"
+FIRST_LABEL="${HOST_AND_PORT/.*/}"
+BODY="$(jq -n --arg jwt "$JWT" '{"jwt": $jwt}')"
+CIGOCACHER_TOKEN="$(curl -sSL --connect-to "$HOST_AND_PORT:$FIRST_LABEL:" -H "Content-Type: application/json" "$URL/auth/exchange-token" -d "$BODY" | jq -r .access_token)"
+if [ -z "$CIGOCACHER_TOKEN" ]; then
+    echo "Failed token exchange with cigocached, skipping cigocacher setup"
+    exit 0
+fi
+
+# Wait until we successfully auth before building cigocacher to ensure we know
+# it's worth building.
+# TODO(tomhjp): bake cigocacher into runner image and use it for auth.
+echo "Fetched cigocacher token successfully"
+echo "::add-mask::${CIGOCACHER_TOKEN}"
+
+BIN_NAME="cigocacher"
+if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
+    BIN_NAME="cigocacher.exe"
+fi
+BIN_PATH="${RUNNER_TEMP:-/tmp}/$BIN_NAME"
+
+./tool/go build -o "$BIN_PATH" ./cmd/cigocacher
+echo "GOCACHEPROG=$BIN_PATH --cigocached-url $URL --token ${CIGOCACHER_TOKEN}" >> "$GITHUB_ENV"
+echo "success=true" >> "$GITHUB_OUTPUT"

.github/actions/go-cache/action.yml

@@ -0,0 +1,26 @@
+name: go-cache
+description: Set up build to use cigocacher
+
+inputs:
+  cigocached-url:
+    description: URL of the cigocached server
+    required: true
+  checkout-path:
+    description: Path to cloned repository
+    required: true
+
+outputs:
+  success:
+    description: Whether cigocacher was set up successfully
+    value: ${{ steps.setup.outputs.success }}
+
+runs:
+  using: composite
+  steps:
+    - name: Setup cigocacher
+      id: setup
+      shell: bash
+      env:
+        URL: ${{ inputs.cigocached-url }}
+      working-directory: ${{ inputs.checkout-path }}
+      run: .github/actions/go-cache/action.sh

.github/workflows/test.yml

@@ -2,6 +2,10 @@
 # both PRs and merged commits, and for the latter reports failures to slack.
 name: CI
 
+permissions:
+  id-token: write # This is required for requesting the JWT
+  contents: read # This is required for actions/checkout
+
 env:
   # Our fuzz job, powered by OSS-Fuzz, fails periodically because we upgrade to
   # new Go versions very eagerly. OSS-Fuzz is a little more conservative, and
@@ -22,9 +26,6 @@ env:
 
 on:
   push:
-    branches:
-      - "main"
-      - "release-branch/*"
   pull_request:
     # all PRs on all branches
   merge_group:
@@ -220,8 +221,6 @@ jobs:
         include:
           - key: "win-bench"
             name: "benchmarks"
-          - key: "win-tool-go"
-            name: "./tool/go"
           - key: "win-shard-1-2"
             shard: "1/2"
           - key: "win-shard-2-2"
@@ -233,41 +232,27 @@ jobs:
         path: src
 
     - name: Install Go
-      if: matrix.key != 'win-tool-go'
       uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
       with:
         go-version-file: src/go.mod
         cache: false
 
     - name: Restore Go module cache
-      if: matrix.key != 'win-tool-go'
       uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
       with:
         path: gomodcache
         key: ${{ needs.gomod-cache.outputs.cache-key }}
         enableCrossOsArchive: true
 
-    - name: Restore Cache
-      if: matrix.key != 'win-tool-go'
-      uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+    - name: Setup cigocacher
+      id: cigocacher-setup
+      uses: ./src/.github/actions/go-cache
       with:
-        path: |
-          ~/.cache/go-build
-          ~\AppData\Local\go-build
-        # The -2- here should be incremented when the scheme of data to be
-        # cached changes (e.g. path above changes).
-        key: ${{ github.job }}-${{ matrix.key }}-go-2-${{ hashFiles('**/go.sum') }}-${{ github.run_id }}
-        restore-keys: |
-          ${{ github.job }}-${{ matrix.key }}-go-2-${{ hashFiles('**/go.sum') }}
-          ${{ github.job }}-${{ matrix.key }}-go-2-
-
-    - name: test-tool-go
-      if: matrix.key == 'win-tool-go'
-      working-directory: src
-      run: ./tool/go version
+        checkout-path: src
+        cigocached-url: ${{ vars.CIGOCACHED_AZURE_URL }}
 
     - name: test
-      if: matrix.key != 'win-bench' && matrix.key != 'win-tool-go' # skip on bench builder
+      if: matrix.key != 'win-bench' # skip on bench builder
       working-directory: src
       run: go run ./cmd/testwrapper sharded:${{ matrix.shard }}
 
@@ -280,12 +265,27 @@ jobs:
       run: go test ./... -bench . -benchtime 1x -run "^$"
 
     - name: Tidy cache
-      if: matrix.key != 'win-tool-go'
       working-directory: src
       shell: bash
       run: |
         find $(go env GOCACHE) -type f -mmin +90 -delete
 
+  win-tool-go:
+    # windows-8vpu is a 2022 GitHub-managed runner in our
+    # org with 8 cores and 32 GB of RAM:
+    # https://github.com/organizations/tailscale/settings/actions/github-hosted-runners/1
+    runs-on: windows-8vcpu
+    needs: gomod-cache
+    name: Windows (win-tool-go)
+    steps:
+    - name: checkout
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        path: src
+    - name: test-tool-go
+      working-directory: src
+      run: ./tool/go version
+
   privileged:
     needs: gomod-cache
     runs-on: ubuntu-24.04
@@ -807,50 +807,50 @@ jobs:
            honnef.co/go/tools/cmd/staticcheck -- \
            $(./tool/go run ./tool/listpkgs --ignore-3p --goos=${{ matrix.goos }} --goarch=${{ matrix.goarch }} ${{ matrix.flags }} ./...)
 
-  notify_slack:
-    if: always()
-    # Any of these jobs failing causes a slack notification.
-    needs: 
-      - android
-      - test
-      - windows
-      - vm
-      - cross
-      - ios
-      - wasm
-      - tailscale_go
-      - fuzz
-      - depaware
-      - go_generate
-      - go_mod_tidy
-      - licenses
-      - staticcheck
-    runs-on: ubuntu-24.04
-    steps:
-    - name: notify  
-      # Only notify slack for merged commits, not PR failures.
-      #
-      # It may be tempting to move this condition into the job's 'if' block, but
-      # don't: Github only collapses the test list into "everything is OK" if
-      # all jobs succeeded. A skipped job results in the list staying expanded.
-      # By having the job always run, but skipping its only step as needed, we
-      # let the CI output collapse nicely in PRs.
-      if: failure() && github.event_name == 'push'
-      uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
-      with:
-        webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
-        webhook-type: incoming-webhook
-        payload: |
-          {
-            "attachments": [{
-              "title": "Failure: ${{ github.workflow }}",
-              "title_link": "https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks",         
-              "text": "${{ github.repository }}@${{ github.ref_name }}: <https://github.com/${{ github.repository }}/commit/${{ github.sha }}|${{ github.sha }}>",
-              "fields": [{ "value": ${{ toJson(github.event.head_commit.message) }}, "short": false }],
-              "footer": "${{ github.event.head_commit.committer.name }} at ${{ github.event.head_commit.timestamp }}",
-              "color": "danger"
-            }]
-          }
+  # notify_slack:
+  #   if: always()
+  #   # Any of these jobs failing causes a slack notification.
+  #   needs: 
+  #     - android
+  #     - test
+  #     - windows
+  #     - vm
+  #     - cross
+  #     - ios
+  #     - wasm
+  #     - tailscale_go
+  #     - fuzz
+  #     - depaware
+  #     - go_generate
+  #     - go_mod_tidy
+  #     - licenses
+  #     - staticcheck
+  #   runs-on: ubuntu-24.04
+  #   steps:
+  #   - name: notify  
+  #     # Only notify slack for merged commits, not PR failures.
+  #     #
+  #     # It may be tempting to move this condition into the job's 'if' block, but
+  #     # don't: Github only collapses the test list into "everything is OK" if
+  #     # all jobs succeeded. A skipped job results in the list staying expanded.
+  #     # By having the job always run, but skipping its only step as needed, we
+  #     # let the CI output collapse nicely in PRs.
+  #     if: failure() && github.event_name == 'push'
+  #     uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
+  #     with:
+  #       webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
+  #       webhook-type: incoming-webhook
+  #       payload: |
+  #         {
+  #           "attachments": [{
+  #             "title": "Failure: ${{ github.workflow }}",
+  #             "title_link": "https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks",         
+  #             "text": "${{ github.repository }}@${{ github.ref_name }}: <https://github.com/${{ github.repository }}/commit/${{ github.sha }}|${{ github.sha }}>",
+  #             "fields": [{ "value": ${{ toJson(github.event.head_commit.message) }}, "short": false }],
+  #             "footer": "${{ github.event.head_commit.committer.name }} at ${{ github.event.head_commit.timestamp }}",
+  #             "color": "danger"
+  #           }]
+  #         }
 
   merge_blocker:
     if: always()