diff options
| author | Tom Proctor <tomhjp@users.noreply.github.com> | 2025-12-02 17:35:15 +0000 |
|---|---|---|
| committer | Tom Proctor <tomhjp@users.noreply.github.com> | 2025-12-02 20:01:23 +0000 |
| commit | f8cd07fb8afd451de29c7876d2bdef21b512eeb9 (patch) | |
| tree | 45048f7d5012cd1ad8b5f1a91e6e31476969bb4a /.github | |
| parent | b8c58ca7c1a49fb772d095c65693cdab06488047 (diff) | |
| download | tailscale-f8cd07fb8afd451de29c7876d2bdef21b512eeb9.tar.xz tailscale-f8cd07fb8afd451de29c7876d2bdef21b512eeb9.zip | |
.github: make cigocacher script more robust
We got a flake in https://github.com/tailscale/tailscale/actions/runs/19867229792/job/56933249360
but it's not obvious to me where it failed. Make it more robust and
print out more useful error messages for next time.
Updates tailscale/corp#10808
Change-Id: I9ca08ea1103b9ad968c9cc0c42a493981ea62435
Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
Diffstat (limited to '.github')
| -rwxr-xr-x | .github/actions/go-cache/action.sh | 43 |
1 files changed, 36 insertions, 7 deletions
diff --git a/.github/actions/go-cache/action.sh b/.github/actions/go-cache/action.sh index 84fb878f8..58ceabc86 100755 --- a/.github/actions/go-cache/action.sh +++ b/.github/actions/go-cache/action.sh @@ -17,23 +17,52 @@ if [ -z "${GITHUB_ACTIONS:-}" ]; then exit 1 fi -if [ -z "$URL" ]; then +if [ -z "${URL:-}" ]; then echo "No cigocached URL is set, skipping cigocacher setup" exit 0 fi -JWT="$(curl -sSL -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=gocached" | jq -r .value)" +curl_and_parse() { + local jq_filter="$1" + local step="$2" + shift 2 + + local response + local curl_exit + response="$(curl -sSL "$@" 2>&1)" || curl_exit="$?" + if [ "${curl_exit:-0}" -ne "0" ]; then + echo "${step}: ${response}" >&2 + return 1 + fi + + local parsed + local jq_exit + parsed=$(echo "${response}" | jq -e -r "${jq_filter}" 2>&1) || jq_exit=$? + if [ "${jq_exit:-0}" -ne "0" ]; then + echo "${step}: Failed to parse JSON response:" >&2 + echo "${response}" >&2 + return 1 + fi + + echo "${parsed}" + return 0 +} + +JWT="$(curl_and_parse ".value" "Fetching GitHub identity JWT" \ + -H "Authorization: Bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" \ + "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=gocached")" || exit 0 + # cigocached serves a TLS cert with an FQDN, but DNS is based on VM name. HOST_AND_PORT="${URL#http*://}" FIRST_LABEL="${HOST_AND_PORT/.*/}" # Save CONNECT_TO for later steps to use. echo "CONNECT_TO=${HOST_AND_PORT}:${FIRST_LABEL}:" >> "${GITHUB_ENV}" BODY="$(jq -n --arg jwt "$JWT" '{"jwt": $jwt}')" -CIGOCACHER_TOKEN="$(curl -sSL --connect-to "$HOST_AND_PORT:$FIRST_LABEL:" -H "Content-Type: application/json" "$URL/auth/exchange-token" -d "$BODY" | jq -r .access_token || true)" -if [ -z "$CIGOCACHER_TOKEN" ]; then - echo "Failed token exchange with cigocached, skipping cigocacher setup" - exit 0 -fi +CIGOCACHER_TOKEN="$(curl_and_parse ".access_token" "Exchanging token with cigocached" \ + --connect-to "${HOST_AND_PORT}:${FIRST_LABEL}:" \ + -H "Content-Type: application/json" \ + "$URL/auth/exchange-token" \ + -d "$BODY")" || exit 0 # Wait until we successfully auth before building cigocacher to ensure we know # it's worth building. |