mirrors/magic-nix-cache
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
magic-nix-cache/gha-cache/README.md
Eelco Dolstra a560959d65 README
2024-02-29 16:27:19 +01:00

37 lines
2.1 KiB
Markdown
Raw Permalink Blame History

# gha-cache
`gha-cache` provides an async API to the GitHub Actions Cache API.
You can upload blobs with `AsyncRead` streams and obtain presigned URLs to download them.
## Introduction
The GitHub Actions Cache (hereinafter GHAC) service stores binary blobs [identified](https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#matching-a-cache-key) by the following 3-tuple:
- **Cache Key**: The developer-specified name of the blob.
- **Cache Version**: A string identifying conditions that affect compatibility of the blob. It works like a namespace.
- The official implementation uses a SHA256 hash of the paths and the compression method, but it can be anything.
- In this crate, we let the user feed in arbitrary bytes to mutate the hash.
- **Cache Scope**: The branch containing the workflow run that uploaded the blob
### APIs
Two sets of APIs are in use:
- [GitHub Actions Cache API](https://github.com/actions/toolkit/blob/457303960f03375db6f033e214b9f90d79c3fe5c/packages/cache/src/internal/cacheHttpClient.ts#L38): Private API used by GHAC. This API allows uploading and downloading blobs.
- Endpoint: `$ACTIONS_CACHE_URL`
- Token: `$ACTIONS_RUNTIME_TOKEN`
- [GitHub REST API](https://docs.github.com/en/rest/actions/cache?apiVersion=2022-11-28#delete-github-actions-caches-for-a-repository-using-a-cache-key): Public API. This API allows listing and deleting blobs.
- Endpoint: `$GITHUB_API_URL` / `https://api.github.com`
- Token: `${{ secrets.GITHUB_TOKEN }}`
This crate supports only the former API.
We should contribute support for the latter to [Octocrab](https://github.com/XAMPPRocky/octocrab).
## Quick Start
Since GHAC uses private APIs that use special tokens for authentication, we need to get them from a workflow run.
The easiest way is with the `keygen` workflow in this repo.
Generate an `age` encryption key with `nix shell nixpkgs#age --command age-keygen -o key.txt`, and add the Public Key as a repository secret named `AGE_PUBLIC_KEY`.
Then, trigger the `keygen` workflow which will print out a command that will let you decrypt the credentials.
Reference in a new issue View git blame Copy permalink