From 2bac50c0ca503b03f99f86673991cfd6990b7522 Mon Sep 17 00:00:00 2001 From: Cole Helbling Date: Wed, 4 Dec 2024 12:41:16 -0800 Subject: [PATCH] Move "workaround" notes closer to the workaround --- magic-nix-cache/src/flakehub.rs | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/magic-nix-cache/src/flakehub.rs b/magic-nix-cache/src/flakehub.rs index dfa82ec..d39f2de 100644 --- a/magic-nix-cache/src/flakehub.rs +++ b/magic-nix-cache/src/flakehub.rs @@ -100,12 +100,6 @@ pub async fn init_cache( if environment.is_github_actions() { match auth_method { super::FlakeHubAuthSource::Netrc(path) => { - // NOTE(cole-h): This is a workaround -- at the time of writing, GitHub Actions JWTs are only - // valid for 5 minutes after being issued. FlakeHub uses these JWTs for authentication, which - // means that after those 5 minutes have passed and the token is expired, FlakeHub (and by - // extension FlakeHub Cache) will no longer allow requests using this token. However, GitHub - // gives us a way to repeatedly request new tokens, so we utilize that and refresh the token - // every 2 minutes (less than half of the lifetime of the token). let netrc_path_clone = path.to_path_buf(); let initial_github_jwt_clone = flakehub_password.clone(); let flakehub_cache_server_clone = flakehub_cache_server.to_string(); @@ -119,11 +113,6 @@ pub async fn init_cache( )); } crate::FlakeHubAuthSource::DeterminateNixd => { - // NOTE(cole-h): This is a workaround -- at the time of writing, determinate-nixd - // handles the GitHub Actions JWT refreshing for us, which means we don't know when - // this will happen. At the moment, it does it roughly every 2 minutes (less than - // half of the total lifetime of the issued token), so refreshing every 30 seconds - // is "fine". let api_clone = api.clone(); let netrc_file = PathBuf::from(DETERMINATE_NETRC_PATH); let flakehub_api_server_clone = flakehub_api_server.clone(); @@ -302,6 +291,13 @@ async fn refresh_github_actions_jwt_worker( flakehub_cache_server_clone: String, api: Arc>, ) -> Result<()> { + // NOTE(cole-h): This is a workaround -- at the time of writing, GitHub Actions JWTs are only + // valid for 5 minutes after being issued. FlakeHub uses these JWTs for authentication, which + // means that after those 5 minutes have passed and the token is expired, FlakeHub (and by + // extension FlakeHub Cache) will no longer allow requests using this token. However, GitHub + // gives us a way to repeatedly request new tokens, so we utilize that and refresh the token + // every 2 minutes (less than half of the lifetime of the token). + // TODO(cole-h): this should probably be half of the token's lifetime ((exp - iat) / 2), but // getting this is nontrivial so I'm not going to do it until GitHub changes the lifetime and // breaks this. @@ -429,6 +425,11 @@ async fn refresh_determinate_token_worker( flakehub_cache_server: Url, api_clone: Arc>, ) { + // NOTE(cole-h): This is a workaround -- at the time of writing, determinate-nixd handles the + // GitHub Actions JWT refreshing for us, which means we don't know when this will happen. At the + // moment, it does it roughly every 2 minutes (less than half of the total lifetime of the + // issued token), so refreshing every 30 seconds is "fine". + loop { tokio::time::sleep(std::time::Duration::from_secs(30)).await;