1 files changed, 44 insertions(+), 37 deletions(-)

M .builds/publish.yml

@@ 1,12 1,11 @@
-# Build cross-platform binaries via goreleaser, ship them three ways on
-# every tag push:
+# Build cross-platform binaries via goreleaser, publish to pages.sr.ht
+# under bigbes.pages.srht.bigb.es/ci-cacher/. The latest tag overwrites
+# the previous publish under /ci-cacher (other projects sharing the
+# user-level pages domain stay intact thanks to `hut pages publish -s`).
 #
-#   1. Build artifacts (visible on the job page, 90-day TTL).
-#   2. pages.sr.ht under bigbes.pages.srht.bigb.es/ci-cacher/ via
-#      `hut pages publish -s /ci-cacher` (subpath-scoped, so other
-#      projects sharing the user-level pages domain stay intact).
-#   3. A landing page rendered from docs/index.html with CHANGELOG.md
-#      embedded inline.
+# Dependency tarballs (Go, goreleaser) are cached through cacher itself —
+# bootstrapped from the previously-published binary on pages. First run
+# is a `--url` fallback fetch + S3 fill; later runs hit S3 directly.
 #
 # Auto-submission is restricted to tag refs only.
 image: ubuntu/noble


@@ 14,6 13,9 @@ packages:
   - curl
   - ca-certificates
   - cmark            # CHANGELOG.md → HTML
+secrets:
+  - 7dde4219-0783-4581-a67d-c94749de3600   # ~/.s3-cache-key-id
+  - 0e5b3530-6f19-4f30-9b73-9339dd382e46   # ~/.s3-cache-key-secret
 oauth: pages.sr.ht/PAGES:RW
 sources:
   - https://git.srht.bigb.es/~bigbes/ci-cacher


@@ 30,31 32,51 @@ submitter:
     allow-refs:
       - "refs/tags/*"
 tasks:
+  - install_cacher: |
+      # Bootstrap from the previously-published binary on pages. The
+      # very first publish wasn't cacher-aware (chicken/egg); every run
+      # since then can dogfood the tool we're shipping.
+      mkdir -p ~/.local/bin
+      curl -sSL "https://${PAGES_DOMAIN}${PAGES_SUBPATH}/cacher-linux-amd64" \
+        -o ~/.local/bin/cacher
+      chmod +x ~/.local/bin/cacher
+      cacher version
+  - cacher_init: |
+      cacher init \
+        --endpoint    https://s3.bigb.es \
+        --region      garage \
+        --bucket      docker-cache \
+        --prefix      ci-cacher/deps \
+        --key-file    ~/.s3-cache-key-id \
+        --secret-file ~/.s3-cache-key-secret
   - install_go: |
       GO_TARBALL="go${GO_VERSION}.linux-amd64.tar.gz"
       mkdir -p ~/.local
-      curl -sSL "https://go.dev/dl/$GO_TARBALL" -o "/tmp/$GO_TARBALL"
-      tar -xz -C ~/.local -f "/tmp/$GO_TARBALL"
-      rm "/tmp/$GO_TARBALL"
+      cacher download "golang/${GO_TARBALL}" "/tmp/${GO_TARBALL}" \
+        --url "https://go.dev/dl/${GO_TARBALL}"
+      tar -xz -C ~/.local -f "/tmp/${GO_TARBALL}"
+      rm "/tmp/${GO_TARBALL}"
       go version
   - install_hut: |
+      # No upstream binary release for hut; build it from source. Output
+      # is small (~5MB) so caching it would barely save anything vs the
+      # `go install` time itself.
       go install git.sr.ht/~xenrox/hut@latest
       hut version
   - install_goreleaser: |
-      # Pinned binary release, not `go install` — goreleaser's release
-      # binaries are stripped + statically linked and ~10x smaller than
-      # a from-source build.
-      mkdir -p ~/.local/bin
-      curl -sSL "https://github.com/goreleaser/goreleaser/releases/download/${GORELEASER_VERSION}/goreleaser_Linux_x86_64.tar.gz" \
-        | tar -xz -C ~/.local/bin goreleaser
+      GRL_TARBALL="goreleaser_${GORELEASER_VERSION}_Linux_x86_64.tar.gz"
+      cacher download "goreleaser/${GRL_TARBALL}" "/tmp/${GRL_TARBALL}" \
+        --url "https://github.com/goreleaser/goreleaser/releases/download/${GORELEASER_VERSION}/goreleaser_Linux_x86_64.tar.gz"
+      tar -xz -C ~/.local/bin -f "/tmp/${GRL_TARBALL}" goreleaser
+      rm "/tmp/${GRL_TARBALL}"
       goreleaser --version
   - build: |
       cd ci-cacher
-      # --skip=validate lets goreleaser release v0.1.0 from a commit that
-      # isn't precisely the v0.1.0 tag (e.g. a CI manifest patch landed
-      # after tagging). Safe here because the published binary is built
-      # from the same Go source either way; only .builds/publish.yml
-      # differs between HEAD and the tagged commit.
+      # --skip=validate lets goreleaser release v0.1.0 from a commit
+      # that isn't precisely the v0.1.0 tag (e.g. a CI manifest patch
+      # landed after tagging). Safe here because the published binary
+      # is built from the same Go source either way; only
+      # .builds/publish.yml differs between HEAD and the tagged commit.
       goreleaser release --clean --skip=validate,publish
       ls dist/
   - package_pages: |


@@ 108,18 130,3 @@ tasks:
       # hut runs, or it can't reach the API from outside the cluster.
       sed -i 's|http://pages:5112|https://pages.srht.bigb.es|' ~/.config/hut/config
       hut pages publish -d "$PAGES_DOMAIN" -s "$PAGES_SUBPATH" /home/build/site.tar.gz
-  - stage_artifacts: |
-      # `artifacts:` paths resolve relative to /home/build. Copy the four
-      # binaries + checksums.txt into the top level so they're easy to
-      # reference (and to keep the page tarball clean of duplicates).
-      cp /home/build/pages/cacher-linux-amd64    /home/build/
-      cp /home/build/pages/cacher-linux-arm64    /home/build/
-      cp /home/build/pages/cacher-darwin-amd64   /home/build/
-      cp /home/build/pages/cacher-darwin-arm64   /home/build/
-      cp /home/build/pages/checksums.txt         /home/build/
-artifacts:
-  - cacher-linux-amd64
-  - cacher-linux-arm64
-  - cacher-darwin-amd64
-  - cacher-darwin-arm64
-  - checksums.txt