Skip to content

chore: add dependency cache for fork PR CI support#1386

Merged
sd-db merged 6 commits intomainfrom
sd-db/worktree-fork-pr-cache
Apr 11, 2026
Merged

chore: add dependency cache for fork PR CI support#1386
sd-db merged 6 commits intomainfrom
sd-db/worktree-fork-pr-cache

Conversation

@sd-db
Copy link
Copy Markdown
Collaborator

@sd-db sd-db commented Apr 10, 2026

Description

Fork PRs cannot authenticate to JFrog (no OIDC token available). This adds a cache-based dependency strategy so fork PRs get full CI feedback.

  • Add warmDepsCache.yml: trusted workflow that downloads all deps via JFrog and saves to GitHub Actions cache (triggers on push to main, daily schedule, and manual dispatch with optional PR number)
  • Add setup-python-deps composite action: restores cached deps and enables offline mode (UV_OFFLINE + PIP_NO_INDEX)
  • Update main.yml to use setup-python-deps instead of setup-jfrog-pypi, remove id-token:write permission (no longer needed)

Checklist

  • I have run this code in development and it appears to resolve the stated issue
  • This PR includes tests, or tests are not required/relevant for this PR - NA
  • I have updated the CHANGELOG.md and added information about my change to the "dbt-databricks next" section. - NA

@sd-db
chore: add dependency cache for fork PR CI support
1eeeff0 
Fork PRs cannot authenticate to JFrog (no OIDC token available).
This adds a cache-based dependency strategy so fork PRs get full CI
feedback.

- Add warmDepsCache.yml: trusted workflow that downloads all deps via
  JFrog and saves to GitHub Actions cache (triggers on push to main,
  daily schedule, and manual dispatch with optional PR number)
- Add setup-python-deps composite action: restores cached deps and
  enables offline mode (UV_OFFLINE + PIP_NO_INDEX)
- Update main.yml to use setup-python-deps instead of setup-jfrog-pypi,
  remove id-token:write permission (no longer needed)
@sd-db sd-db requested a review from gopalldb April 10, 2026 08:20
@sd-db
fix: replace heredoc with printf in setup-python-deps action
4f48c9e 
The unindented heredoc body ([global] and EOF at column 1) was parsed
as YAML instead of shell script content, breaking the action manifest.
@sd-db
fix: add JFrog OIDC fallback when dependency cache is cold
5e1f0a1 
setup-python-deps now outputs cache-hit. On cache miss, main.yml falls
back to setup-jfrog-pypi for package resolution. Also fixes YAML parse
error from unindented heredoc by using printf instead.
@sd-db
fix: harden cache warmer against fork code injection
94726ba 
- Always checkout main first for trusted CI actions, then overlay
  only lockfiles from fork (prevents malicious action injection)
- Remove redundant echo and comments from setup-python-deps
- Quote hashFiles expressions in shell context
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 10, 2026

Coverage report

This PR does not seem to contain any modification to coverable code.

sd-db added 2 commits April 10, 2026 18:36
@sd-db
fix: use hash-prefixed cache keys to prevent stale cache restores
f0d40c5 
Cache key format changed from python-deps-{TIMESTAMP}-{HASH} to
python-deps-{HASH}-{TIMESTAMP}. Consumers now prefix-match on the
hash, so only caches matching the current lockfiles are restored.
If lockfiles changed, no cache matches and the JFrog fallback runs.
This eliminates stale cache issues without shell hash comparisons.
@sd-db
fix: add missing coverage_comment step id, remove no-op strategy and …
1d2b993 
…comment

- Add id: coverage_comment to Coverage Comment step so artifact upload
  condition works
- Remove fail-fast: false from matrixless code-quality job (no-op)
- Remove redundant comment from cache key in setup-python-deps
@sd-db sd-db merged commit b0778e0 into main Apr 11, 2026
10 checks passed
@sd-db sd-db deleted the sd-db/worktree-fork-pr-cache branch April 11, 2026 05:38
@sd-db sd-db mentioned this pull request Apr 13, 2026
Merged
2 tasks
sd-db added a commit that referenced this pull request Apr 13, 2026
@sd-db
fix: dependency cache bugs for fork PR CI (#1394)
40bc0d6 
## Summary

Fixes issues preventing the dependency cache (#1386) from working on
fork PRs:

- **uv cache path**: `setup-uv` overrode the cache dir to a temp path.
Use `cache-local-path` to pin it.
- **uv offline lookups**: cache is scoped by index URL hash. Set
`UV_INDEX_URL` to match the warmer's JFrog URL.
- **Pre-commit broken symlinks**: warmer's Python path differed from
consumer's. Use `setup-python` in warmer.
- **pip offline**: `PIP_NO_INDEX` blocks all index access. Create a pip
wheelhouse and use `PIP_FIND_LINKS`.
- **Version-specific wheels**: create test envs for all matrix versions
in the warmer.
- Misc: removed no-op `strategy.fail-fast`, added missing `id:
coverage_comment`.

## Test plan
- [x] `warm-cache` job succeeds on this PR
- [x] All `main.yml` jobs pass offline
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tejassp-db tejassp-db tejassp-db approved these changes

@benc-db benc-db Awaiting requested review from benc-db benc-db is a code owner

@jprakash-db jprakash-db Awaiting requested review from jprakash-db jprakash-db is a code owner

@gopalldb gopalldb Awaiting requested review from gopalldb

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sd-db @tejassp-db