From f8cd07fb8afd451de29c7876d2bdef21b512eeb9 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Tue, 2 Dec 2025 17:35:15 +0000 Subject: [PATCH] .github: make cigocacher script more robust We got a flake in https://github.com/tailscale/tailscale/actions/runs/19867229792/job/56933249360 but it's not obvious to me where it failed. Make it more robust and print out more useful error messages for next time. Updates tailscale/corp#10808 Change-Id: I9ca08ea1103b9ad968c9cc0c42a493981ea62435 Signed-off-by: Tom Proctor --- .github/actions/go-cache/action.sh | 43 +++++++++++++++++++++++++----- 1 file changed, 36 insertions(+), 7 deletions(-) diff --git a/.github/actions/go-cache/action.sh b/.github/actions/go-cache/action.sh index 84fb878f8..58ceabc86 100755 --- a/.github/actions/go-cache/action.sh +++ b/.github/actions/go-cache/action.sh @@ -17,23 +17,52 @@ if [ -z "${GITHUB_ACTIONS:-}" ]; then exit 1 fi -if [ -z "$URL" ]; then +if [ -z "${URL:-}" ]; then echo "No cigocached URL is set, skipping cigocacher setup" exit 0 fi -JWT="$(curl -sSL -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=gocached" | jq -r .value)" +curl_and_parse() { + local jq_filter="$1" + local step="$2" + shift 2 + + local response + local curl_exit + response="$(curl -sSL "$@" 2>&1)" || curl_exit="$?" + if [ "${curl_exit:-0}" -ne "0" ]; then + echo "${step}: ${response}" >&2 + return 1 + fi + + local parsed + local jq_exit + parsed=$(echo "${response}" | jq -e -r "${jq_filter}" 2>&1) || jq_exit=$? + if [ "${jq_exit:-0}" -ne "0" ]; then + echo "${step}: Failed to parse JSON response:" >&2 + echo "${response}" >&2 + return 1 + fi + + echo "${parsed}" + return 0 +} + +JWT="$(curl_and_parse ".value" "Fetching GitHub identity JWT" \ + -H "Authorization: Bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" \ + "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=gocached")" || exit 0 + # cigocached serves a TLS cert with an FQDN, but DNS is based on VM name. HOST_AND_PORT="${URL#http*://}" FIRST_LABEL="${HOST_AND_PORT/.*/}" # Save CONNECT_TO for later steps to use. echo "CONNECT_TO=${HOST_AND_PORT}:${FIRST_LABEL}:" >> "${GITHUB_ENV}" BODY="$(jq -n --arg jwt "$JWT" '{"jwt": $jwt}')" -CIGOCACHER_TOKEN="$(curl -sSL --connect-to "$HOST_AND_PORT:$FIRST_LABEL:" -H "Content-Type: application/json" "$URL/auth/exchange-token" -d "$BODY" | jq -r .access_token || true)" -if [ -z "$CIGOCACHER_TOKEN" ]; then - echo "Failed token exchange with cigocached, skipping cigocacher setup" - exit 0 -fi +CIGOCACHER_TOKEN="$(curl_and_parse ".access_token" "Exchanging token with cigocached" \ + --connect-to "${HOST_AND_PORT}:${FIRST_LABEL}:" \ + -H "Content-Type: application/json" \ + "$URL/auth/exchange-token" \ + -d "$BODY")" || exit 0 # Wait until we successfully auth before building cigocacher to ensure we know # it's worth building.