Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion .bazelrc
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,11 @@ build --action_env=TZ=UTC

test --test_output=errors
test --test_timeout=120,600,1800,3600
test --test_env=GF_RBE_CHROMIUM_EXECUTABLE=/bin/chromium
# Pass the browser path through from the lane (executor images ship
# /bin/chromium; the dind runner provisions one in ci.yml and exports
# GF_RBE_CHROMIUM_EXECUTABLE). No hardcoded value: an absent var lets
# the run-*-bazel.mjs candidate scan handle system chromium paths.
test --test_env=GF_RBE_CHROMIUM_EXECUTABLE

build:local --disk_cache=~/.cache/bazel-jesssullivan-github-io

Expand Down
49 changes: 40 additions & 9 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -47,8 +47,6 @@ jobs:
id-token: write
runs-on: tinyland-dind
timeout-minutes: 60
env:
GF_RBE_CHROMIUM_EXECUTABLE: /bin/chromium
steps:
- uses: actions/checkout@v6
with:
Expand All @@ -58,22 +56,55 @@ jobs:
with:
node-version-file: '.nvmrc'

- name: Require executor-backed GloriousFlywheel lane
- name: Cache Playwright browsers
uses: actions/cache@v5
with:
path: ~/.cache/ms-playwright
key: ms-playwright-${{ runner.os }}-${{ hashFiles('package-lock.json') }}

- name: Provision Chromium for browser gates
run: |
set -euo pipefail
# Executor images ship /bin/chromium; the dind runner image ships no
# browser, so the puppeteer smoke and playwright e2e need one
# provisioned here. Playwright's installer also pulls the shared
# system libraries the binary links against.
for c in /bin/chromium /usr/bin/chromium /usr/bin/chromium-browser /usr/bin/google-chrome; do
if [ -x "$c" ]; then
echo "System chromium present at $c"
exit 0
fi
done
PLAYWRIGHT_VERSION="$(node -p "require('./package.json').devDependencies['@playwright/test'].replace(/^[^0-9]*/, '')")"
npx --yes "playwright@${PLAYWRIGHT_VERSION}" install --with-deps chromium
BIN="$(ls -d "${HOME}/.cache/ms-playwright"/chromium-*/chrome-linux*/chrome 2>/dev/null | head -1)"
test -x "${BIN}"
echo "GF_RBE_CHROMIUM_EXECUTABLE=${BIN}" >> "$GITHUB_ENV"

- name: Resolve GloriousFlywheel substrate lane
run: |
set -euo pipefail
if [ -z "${BAZEL_REMOTE_CACHE:-}" ]; then
echo "::error::BAZEL_REMOTE_CACHE is missing. This job must run on the GloriousFlywheel ARC lane with cache hints attached."
exit 1
fi

if [ -z "${BAZEL_REMOTE_EXECUTOR:-}" ]; then
echo "::error::BAZEL_REMOTE_EXECUTOR is missing. Refusing to run check/test/e2e as shared-cache local work while this lane is named RBE."
exit 1
# This repo's GF consumer-registry entry is substrate_mode=
# shared-cache-backed (latch: remote_processes=0), so executor
# tokens are not ours to mint — the exchange grants cache-write
# only to trusted default-branch pushes and cache-read to any
# enrolled ref. Strip the executor attachment so the wrapper and
# cache-attachment-contract agree on shared-cache mode.
echo "GF_BAZEL_SUBSTRATE_MODE=shared-cache-backed" >> "$GITHUB_ENV"
echo "BAZEL_REMOTE_EXECUTOR=" >> "$GITHUB_ENV"
echo "BAZEL_REMOTE_EXECUTOR_CACHE=" >> "$GITHUB_ENV"
if [ "${GITHUB_EVENT_NAME}" = "push" ] && [ "${GITHUB_REF}" = "refs/heads/main" ]; then
echo "GF_REAPI_TOKEN_EXCHANGE_REQUEST=cache-write" >> "$GITHUB_ENV"
else
echo "GF_REAPI_TOKEN_EXCHANGE_REQUEST=cache-read" >> "$GITHUB_ENV"
echo "GF_BAZEL_CACHE_ROLE=read-only" >> "$GITHUB_ENV"
fi

echo "GF_BAZEL_SUBSTRATE_MODE=executor-backed" >> "$GITHUB_ENV"
echo "GF_BAZEL_REMOTE_EXECUTION_PLATFORM=${GF_BAZEL_REMOTE_EXECUTION_PLATFORM:-gloriousflywheel-rbe-linux-x86_64}" >> "$GITHUB_ENV"

- name: Mint GloriousFlywheel REAPI token
env:
GF_REAPI_TOKEN_EXCHANGE_TTL: 45m
Expand Down
2 changes: 1 addition & 1 deletion MODULE.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ bazel_dep(name = "aspect_rules_js", version = "2.9.1")
# repo (sensitive STR-variant content) so it is pinned via git_override; CI
# uses an SSH deploy key (secret SPEAR_RESUMES_DEPLOY_KEY) to fetch it.
bazel_dep(name = "spear_resumes", version = "0.2.0")
bazel_dep(name = "rules_tectonic", version = "0.1.0")
bazel_dep(name = "rules_tectonic", version = "0.2.1")

git_override(
module_name = "spear_resumes",
Expand Down
23 changes: 12 additions & 11 deletions MODULE.bazel.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 5 additions & 3 deletions e2e/cv.spec.ts
Original file line number Diff line number Diff line change
Expand Up @@ -28,15 +28,17 @@ test.describe('CV page', () => {
await expect(page.getByRole('link', { name: 'Download Précis PDF' })).toBeVisible();
});

test('Resume download and source links visible by default', async ({ page }) => {
test('Resume download link visible by default, TeX source stays scrubbed', async ({ page }) => {
await expect(page.getByRole('link', { name: 'Download Resume PDF' })).toBeVisible();
await expect(page.getByRole('link', { name: 'View TeX Source' })).toBeVisible();
// spear-resumes TeX sources went private (81655ce); the source link
// must stay off the public /cv surface.
await expect(page.getByRole('link', { name: 'View TeX Source' })).toHaveCount(0);
});

test('switching to Full CV tab updates links', async ({ page }) => {
await page.getByRole('button', { name: 'Full CV' }).click();
await expect(page.getByRole('link', { name: 'Download Full CV PDF' })).toBeVisible();
await expect(page.getByRole('link', { name: 'View TeX Source' })).toBeVisible();
await expect(page.getByRole('link', { name: 'View TeX Source' })).toHaveCount(0);
});

test('PDF iframe is present', async ({ page }) => {
Expand Down
5 changes: 5 additions & 0 deletions scripts/bazel-cache-backed.sh
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,11 @@ info)
--remote_default_exec_properties="gf.platform=${remote_execution_platform}"
)
fi
# GF cache-read tokens (PR refs) cannot upload; skip the writes rather
# than spraying per-action upload warnings against the denied scope.
if [[ ${GF_BAZEL_CACHE_ROLE:-} == "read-only" ]]; then
executor_args+=(--remote_upload_local_results=false)
fi
configure_gf_reapi_credentials "${remote_executor:-${effective_remote_cache}}"
if [[ -n ${BAZEL_REMOTE_INSTANCE_NAME:-} ]]; then
validate_runtime_value "BAZEL_REMOTE_INSTANCE_NAME" "${BAZEL_REMOTE_INSTANCE_NAME}"
Expand Down
Loading