From 30347e53ac12253f31f9cd347c73e1bf95ee2810 Mon Sep 17 00:00:00 2001
From: Eugene Blikh <bigbes@gmail.com>
Date: Tue, 26 May 2026 00:38:12 +0300
Subject: [PATCH] publish.yml: dogfood cacher for deps, drop failing artifacts
 block
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two changes:

* Drop `artifacts:` block. The srht.bigb.es self-hosted instance
  doesn't have artifact storage configured (the upload step fails
  silently right after "Running task stage_artifacts"). Pages.sr.ht
  already serves the binaries with stable URLs, so artifacts were
  just redundant. Removes the stage_artifacts task too.

* Cache the Go and goreleaser tarballs through cacher itself.
  Bootstrap: curl the previously-published cacher binary from pages;
  cacher init against s3.bigb.es using the existing srht-registered
  secrets (same UUIDs as tarantool-protobuf .builds); then cacher
  download "goreleaser/<ver>.tar.gz" --url "https://github…" handles
  cache-or-fetch + back-fill. First run after this commit pays the
  full curl cost and seeds s3; every later run is an S3 hit.

  hut isn't cached — no upstream binary release, building from
  source is small + fast.
---
 .builds/publish.yml | 81 ++++++++++++++++++++++++---------------------
 1 file changed, 44 insertions(+), 37 deletions(-)

diff --git a/.builds/publish.yml b/.builds/publish.yml
index 74fb5a36e84e0d59a1880e0389689077ef9516b9..8be3e766f72841ffd8d52df88c31692892f753f7 100644
--- a/.builds/publish.yml
+++ b/.builds/publish.yml
@@ -1,12 +1,11 @@
-# Build cross-platform binaries via goreleaser, ship them three ways on
-# every tag push:
+# Build cross-platform binaries via goreleaser, publish to pages.sr.ht
+# under bigbes.pages.srht.bigb.es/ci-cacher/. The latest tag overwrites
+# the previous publish under /ci-cacher (other projects sharing the
+# user-level pages domain stay intact thanks to `hut pages publish -s`).
 #
-#   1. Build artifacts (visible on the job page, 90-day TTL).
-#   2. pages.sr.ht under bigbes.pages.srht.bigb.es/ci-cacher/ via
-#      `hut pages publish -s /ci-cacher` (subpath-scoped, so other
-#      projects sharing the user-level pages domain stay intact).
-#   3. A landing page rendered from docs/index.html with CHANGELOG.md
-#      embedded inline.
+# Dependency tarballs (Go, goreleaser) are cached through cacher itself —
+# bootstrapped from the previously-published binary on pages. First run
+# is a `--url` fallback fetch + S3 fill; later runs hit S3 directly.
 #
 # Auto-submission is restricted to tag refs only.
 image: ubuntu/noble
@@ -14,6 +13,9 @@ packages:
   - curl
   - ca-certificates
   - cmark            # CHANGELOG.md → HTML
+secrets:
+  - 7dde4219-0783-4581-a67d-c94749de3600   # ~/.s3-cache-key-id
+  - 0e5b3530-6f19-4f30-9b73-9339dd382e46   # ~/.s3-cache-key-secret
 oauth: pages.sr.ht/PAGES:RW
 sources:
   - https://git.srht.bigb.es/~bigbes/ci-cacher
@@ -30,31 +32,51 @@ submitter:
     allow-refs:
       - "refs/tags/*"
 tasks:
+  - install_cacher: |
+      # Bootstrap from the previously-published binary on pages. The
+      # very first publish wasn't cacher-aware (chicken/egg); every run
+      # since then can dogfood the tool we're shipping.
+      mkdir -p ~/.local/bin
+      curl -sSL "https://${PAGES_DOMAIN}${PAGES_SUBPATH}/cacher-linux-amd64" \
+        -o ~/.local/bin/cacher
+      chmod +x ~/.local/bin/cacher
+      cacher version
+  - cacher_init: |
+      cacher init \
+        --endpoint    https://s3.bigb.es \
+        --region      garage \
+        --bucket      docker-cache \
+        --prefix      ci-cacher/deps \
+        --key-file    ~/.s3-cache-key-id \
+        --secret-file ~/.s3-cache-key-secret
   - install_go: |
       GO_TARBALL="go${GO_VERSION}.linux-amd64.tar.gz"
       mkdir -p ~/.local
-      curl -sSL "https://go.dev/dl/$GO_TARBALL" -o "/tmp/$GO_TARBALL"
-      tar -xz -C ~/.local -f "/tmp/$GO_TARBALL"
-      rm "/tmp/$GO_TARBALL"
+      cacher download "golang/${GO_TARBALL}" "/tmp/${GO_TARBALL}" \
+        --url "https://go.dev/dl/${GO_TARBALL}"
+      tar -xz -C ~/.local -f "/tmp/${GO_TARBALL}"
+      rm "/tmp/${GO_TARBALL}"
       go version
   - install_hut: |
+      # No upstream binary release for hut; build it from source. Output
+      # is small (~5MB) so caching it would barely save anything vs the
+      # `go install` time itself.
       go install git.sr.ht/~xenrox/hut@latest
       hut version
   - install_goreleaser: |
-      # Pinned binary release, not `go install` — goreleaser's release
-      # binaries are stripped + statically linked and ~10x smaller than
-      # a from-source build.
-      mkdir -p ~/.local/bin
-      curl -sSL "https://github.com/goreleaser/goreleaser/releases/download/${GORELEASER_VERSION}/goreleaser_Linux_x86_64.tar.gz" \
-        | tar -xz -C ~/.local/bin goreleaser
+      GRL_TARBALL="goreleaser_${GORELEASER_VERSION}_Linux_x86_64.tar.gz"
+      cacher download "goreleaser/${GRL_TARBALL}" "/tmp/${GRL_TARBALL}" \
+        --url "https://github.com/goreleaser/goreleaser/releases/download/${GORELEASER_VERSION}/goreleaser_Linux_x86_64.tar.gz"
+      tar -xz -C ~/.local/bin -f "/tmp/${GRL_TARBALL}" goreleaser
+      rm "/tmp/${GRL_TARBALL}"
       goreleaser --version
   - build: |
       cd ci-cacher
-      # --skip=validate lets goreleaser release v0.1.0 from a commit that
-      # isn't precisely the v0.1.0 tag (e.g. a CI manifest patch landed
-      # after tagging). Safe here because the published binary is built
-      # from the same Go source either way; only .builds/publish.yml
-      # differs between HEAD and the tagged commit.
+      # --skip=validate lets goreleaser release v0.1.0 from a commit
+      # that isn't precisely the v0.1.0 tag (e.g. a CI manifest patch
+      # landed after tagging). Safe here because the published binary
+      # is built from the same Go source either way; only
+      # .builds/publish.yml differs between HEAD and the tagged commit.
       goreleaser release --clean --skip=validate,publish
       ls dist/
   - package_pages: |
@@ -108,18 +130,3 @@ tasks:
       # hut runs, or it can't reach the API from outside the cluster.
       sed -i 's|http://pages:5112|https://pages.srht.bigb.es|' ~/.config/hut/config
       hut pages publish -d "$PAGES_DOMAIN" -s "$PAGES_SUBPATH" /home/build/site.tar.gz
-  - stage_artifacts: |
-      # `artifacts:` paths resolve relative to /home/build. Copy the four
-      # binaries + checksums.txt into the top level so they're easy to
-      # reference (and to keep the page tarball clean of duplicates).
-      cp /home/build/pages/cacher-linux-amd64    /home/build/
-      cp /home/build/pages/cacher-linux-arm64    /home/build/
-      cp /home/build/pages/cacher-darwin-amd64   /home/build/
-      cp /home/build/pages/cacher-darwin-arm64   /home/build/
-      cp /home/build/pages/checksums.txt         /home/build/
-artifacts:
-  - cacher-linux-amd64
-  - cacher-linux-arm64
-  - cacher-darwin-amd64
-  - cacher-darwin-arm64
-  - checksums.txt