fix(ci): isolate rust homes and harden self-hosted cache usage

2026-03-01 11:23:13 -08:00 · 2026-03-01 11:23:13 -08:00 · 886d48ccbe
commit 886d48ccbe
parent 9bc0f24718
5 changed files with 32 additions and 2 deletions
--- a/.github/workflows/ci-run.yml
+++ b/.github/workflows/ci-run.yml
@ -66,6 +66,7 @@ jobs:
            - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v3
              with:
                  prefix-key: ci-run-check
+                  cache-bin: false
            - name: Run rust quality gate
              run: ./scripts/ci/rust_quality_gate.sh
            - name: Run strict lint delta gate
@ -90,6 +91,7 @@ jobs:
            - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v3
              with:
                  prefix-key: ci-run-check
+                  cache-bin: false
            - name: Run tests with flake detection
              shell: bash
              env:
@ -158,6 +160,7 @@ jobs:
              with:
                  prefix-key: ci-run-build
                  cache-targets: true
+                  cache-bin: false
            - name: Build binary (smoke check)
              env:
                  CARGO_BUILD_JOBS: 2
--- a/.github/workflows/sec-audit.yml
+++ b/.github/workflows/sec-audit.yml
@ -175,6 +175,7 @@ jobs:
            - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v3
              with:
                  prefix-key: sec-audit-security-regressions
+                  cache-bin: false
            - name: Run security regression suite
              shell: bash
              run: ./scripts/ci/security_regression_tests.sh
--- a/scripts/ci/self_heal_rust_toolchain.sh
+++ b/scripts/ci/self_heal_rust_toolchain.sh
@ -6,6 +6,24 @@ set -euo pipefail

 TOOLCHAIN="${1:-1.92.0}"

+# Use per-job Rust homes on self-hosted runners to avoid cross-runner corruption/races.
+if [ -n "${RUNNER_TEMP:-}" ]; then
+  CARGO_HOME="${RUNNER_TEMP%/}/cargo-home"
+  RUSTUP_HOME="${RUNNER_TEMP%/}/rustup-home"
+  mkdir -p "${CARGO_HOME}" "${RUSTUP_HOME}"
+  export CARGO_HOME RUSTUP_HOME
+  export PATH="${CARGO_HOME}/bin:${PATH}"
+  if [ -n "${GITHUB_ENV:-}" ]; then
+    {
+      echo "CARGO_HOME=${CARGO_HOME}"
+      echo "RUSTUP_HOME=${RUSTUP_HOME}"
+    } >> "${GITHUB_ENV}"
+  fi
+  if [ -n "${GITHUB_PATH:-}" ]; then
+    echo "${CARGO_HOME}/bin" >> "${GITHUB_PATH}"
+  fi
+fi
+
 if ! command -v rustup >/dev/null 2>&1; then
  echo "rustup not installed yet; skipping rust toolchain self-heal."
  exit 0
--- a/src/gateway/mod.rs
+++ b/src/gateway/mod.rs
@ -3840,6 +3840,8 @@ Reminder set successfully."#;
            whatsapp_app_secret: None,
            linq: None,
            linq_signing_secret: None,
+            bluebubbles: None,
+            bluebubbles_webhook_secret: None,
            nextcloud_talk: None,
            nextcloud_talk_webhook_secret: None,
            wati: None,
--- a/src/onboard/wizard.rs
+++ b/src/onboard/wizard.rs
@ -8615,8 +8615,14 @@ mod tests {
            &["ANTHROPIC_OAUTH_TOKEN"]
        );
        assert_eq!(provider_env_var_fallbacks("gemini"), &["GOOGLE_API_KEY"]);
-        assert_eq!(provider_env_var_fallbacks("minimax"), &["MINIMAX_OAUTH_TOKEN"]);
-        assert_eq!(provider_env_var_fallbacks("volcengine"), &["DOUBAO_API_KEY"]);
+        assert_eq!(
+            provider_env_var_fallbacks("minimax"),
+            &["MINIMAX_OAUTH_TOKEN"]
+        );
+        assert_eq!(
+            provider_env_var_fallbacks("volcengine"),
+            &["DOUBAO_API_KEY"]
+        );
    }

    #[tokio::test]