SonarSource
diff --git a/‎.github/workflows/check-cache-migration.yml‎
Lines changed: 178 additions & 0 deletions b/‎.github/workflows/check-cache-migration.yml‎
Lines changed: 178 additions & 0 deletions
diff --git a/‎.github/workflows/test-cache-migration-gh2s3.yml‎
Lines changed: 147 additions & 0 deletions b/‎.github/workflows/test-cache-migration-gh2s3.yml‎
Lines changed: 147 additions & 0 deletions
@@ -0,0 +1,178 @@
+---
+name: Check cache migration (GitHub → S3)
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: Cache environment to check
+        required: true
+        default: prod
+        type: choice
+        options:
+          - prod
+          - dev
+
+jobs:
+  check-migration:
+    runs-on: ubuntu-latest
+    name: Compare GitHub cache vs S3
+    permissions:
+      id-token: write
+      contents: read
+      actions: write  # required to list GitHub cache entries and set the opt-out repository variable
+
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Setup S3 cache credentials
+        id: aws-auth
+        uses: SonarSource/gh-action_cache/credential-setup@v1
+        with:
+          environment: ${{ inputs.environment }}
+
+      - name: List GitHub cache entries
+        id: gh-caches
+        shell: bash
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+        run: |
+          # Fetch all GitHub cache entries (paginated, up to 10 000)
+          PAGE=1
+          PER_PAGE=100
+          ALL_ENTRIES="[]"
+          while true; do
+            RESPONSE=$(curl -s -f \
+              -H "Authorization: token $GITHUB_TOKEN" \
+              -H "Accept: application/vnd.github+json" \
+              "https://api.github.com/repos/${GITHUB_REPOSITORY}/actions/caches?per_page=${PER_PAGE}&page=${PAGE}")
+            ENTRIES=$(echo "$RESPONSE" | jq '.actions_caches')
+            COUNT=$(echo "$ENTRIES" | jq 'length')
+            ALL_ENTRIES=$(echo "$ALL_ENTRIES $ENTRIES" | jq -s 'add')
+            if [[ "$COUNT" -lt "$PER_PAGE" ]]; then
+              break
+            fi
+            PAGE=$((PAGE + 1))
+          done
+
+          # Filter: include only target branches, exclude unwanted key patterns
+          FILTERED=$(echo "$ALL_ENTRIES" | jq '[
+            .[] |
+            select(
+              (.ref | test("^refs/heads/(main|master|branch-.+|dogfood-on-.+|feature/long/.+)$")) and
+              (.key | test("^(build-number-|mise-)") | not)
+            ) |
+            { ref: .ref, key: .key }
+          ]')
+
+          TOTAL=$(echo "$ALL_ENTRIES" | jq 'length')
+          INCLUDED=$(echo "$FILTERED" | jq 'length')
+          echo "Total GitHub cache entries: $TOTAL"
+          echo "Included for migration check: $INCLUDED"
+
+          # Write to file for next step
+          echo "$FILTERED" > /tmp/gh_caches.json
+          echo "included-count=$INCLUDED" >> "$GITHUB_OUTPUT"
+
+      - name: List S3 cache objects
+        id: s3-objects
+        shell: bash
+        env:
+          AWS_ACCESS_KEY_ID: ${{ steps.aws-auth.outputs.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ steps.aws-auth.outputs.AWS_SECRET_ACCESS_KEY }}
+          AWS_SESSION_TOKEN: ${{ steps.aws-auth.outputs.AWS_SESSION_TOKEN }}
+          AWS_DEFAULT_REGION: eu-central-1
+          S3_BUCKET: sonarsource-s3-cache-${{ inputs.environment }}-bucket
+        run: |
+          # List all S3 objects with pagination handled internally by the CLI
+          aws s3 ls "s3://$S3_BUCKET/" --recursive \
+            | awk '{print $4}' \
+            | sort > /tmp/s3_keys.txt
+
+          S3_COUNT=$(wc -l < /tmp/s3_keys.txt)
+          echo "Total S3 cache objects: $S3_COUNT"
+          echo "s3-count=$S3_COUNT" >> "$GITHUB_OUTPUT"
+
+      - name: Compare and report
+        id: compare
+        shell: bash
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+        run: |
+          INCLUDED=$(jq 'length' /tmp/gh_caches.json)
+          MIGRATED=0
+          MISSING=()
+
+          while IFS= read -r ENTRY; do
+            REF=$(echo "$ENTRY" | jq -r '.ref')
+            KEY=$(echo "$ENTRY" | jq -r '.key')
+            # S3 keys use full ref for push events (refs/heads/main/{key}) and short branch name for PR events (feat/someBranch/{key}).
+            # Check both forms since we cannot know which was used at save time.
+            REF_SHORT="${REF#refs/heads/}"
+            S3_KEY_FULL="${REF}/${KEY}"
+            S3_KEY_SHORT="${REF_SHORT}/${KEY}"
+            if grep -qxF "$S3_KEY_FULL" /tmp/s3_keys.txt || grep -qxF "$S3_KEY_SHORT" /tmp/s3_keys.txt; then
+              MIGRATED=$((MIGRATED + 1))
+            else
+              MISSING+=("$S3_KEY_SHORT")
+            fi
+          done < <(jq -c '.[]' /tmp/gh_caches.json)
+
+          echo ""
+          echo "========================================="
+          echo " Migration status: $MIGRATED / $INCLUDED"
+          echo "========================================="
+
+          if [[ "${#MISSING[@]}" -gt 0 ]]; then
+            echo ""
+            echo "Missing in S3 (${#MISSING[@]} entries):"
+            printf '  %s\n' "${MISSING[@]}"
+          fi
+
+          if [[ "$MIGRATED" -eq "$INCLUDED" && "$INCLUDED" -gt 0 ]]; then
+            echo ""
+            echo "All included GitHub cache entries are present in S3."
+            echo "migration-complete=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "migration-complete=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Set CACHE_IMPORT_GITHUB=false (migration complete)
+        if: steps.compare.outputs.migration-complete == 'true'
+        shell: bash
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+        run: |
+          VARIABLE_NAME="CACHE_IMPORT_GITHUB"
+
+          # Check if variable already exists
+          STATUS=$(curl -s -o /dev/null -w "%{http_code}" \
+            -H "Authorization: token $GITHUB_TOKEN" \
+            -H "Accept: application/vnd.github+json" \
+            "https://api.github.com/repos/${GITHUB_REPOSITORY}/actions/variables/${VARIABLE_NAME}")
+
+          if [[ "$STATUS" == "200" ]]; then
+            # Update existing variable
+            curl -s -f -X PATCH \
+              -H "Authorization: token $GITHUB_TOKEN" \
+              -H "Accept: application/vnd.github+json" \
+              "https://api.github.com/repos/${GITHUB_REPOSITORY}/actions/variables/${VARIABLE_NAME}" \
+              -d '{"name":"'"$VARIABLE_NAME"'","value":"false"}'
+            echo "Updated repository variable $VARIABLE_NAME=false"
+          else
+            # Create new variable
+            curl -s -f -X POST \
+              -H "Authorization: token $GITHUB_TOKEN" \
+              -H "Accept: application/vnd.github+json" \
+              "https://api.github.com/repos/${GITHUB_REPOSITORY}/actions/variables" \
+              -d '{"name":"'"$VARIABLE_NAME"'","value":"false"}'
+            echo "Created repository variable $VARIABLE_NAME=false"
+          fi
+
+          echo ""
+          echo "Migration complete — CACHE_IMPORT_GITHUB set to false"
+          echo "Import fallback will be disabled on next workflow runs."
+          echo "To re-enable migration mode, delete or set CACHE_IMPORT_GITHUB=true in repository variables."
@@ -0,0 +1,147 @@
+---
+name: Test cache migration (GitHub → S3)
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  # Prerequisite: provision GitHub cache entries used by the test scenarios
+  provision-github-cache:
+    runs-on: github-ubuntu-latest-s
+    name: "Provision GitHub cache entries"
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Save GitHub cache entry (for import scenario)
+        run: mkdir -p ~/.cache/test-migration && echo "github-content" > ~/.cache/test-migration/test-file.txt
+      - uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        with:
+          path: ~/.cache/test-migration
+          key: test-migration-gh
+      - name: Save GitHub cache entry (for S3-hit scenario, to confirm it is NOT restored)
+        run: echo "github-content" > ~/.cache/test-migration/test-file.txt
+      - uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        with:
+          path: ~/.cache/test-migration
+          key: test-migration-s3hit
+
+  # Prerequisite: provision an S3 cache entry for the S3-hit scenario
+  provision-s3-cache:
+    runs-on: github-ubuntu-latest-s
+    name: "Provision S3 cache entry"
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Create S3 cache content
+        run: mkdir -p ~/.cache/test-migration && echo "s3-content" > ~/.cache/test-migration/test-file.txt
+      - name: Save to S3 cache
+        uses: ./
+        with:
+          path: ~/.cache/test-migration
+          key: test-migration-s3hit
+          environment: dev
+          backend: s3
+
+  # Scenario 1: S3 backend with import mode active (default behavior after migration begins)
+  test-s3-import-enabled:
+    needs: provision-github-cache
+    runs-on: github-ubuntu-latest-s
+    name: "S3 + import enabled (migration fallback)"
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Cache with migration fallback
+        id: cache
+        uses: ./
+        with:
+          path: ~/.cache/test-migration
+          key: test-migration-gh
+          environment: dev
+          backend: s3
+          # import-github-cache defaults to true — no need to set it explicitly
+      - name: Verify import succeeded
+        run: |
+          [[ "${{ steps.cache.outputs.cache-hit }}" == "true" ]] || { echo "ERROR: cache-hit is not true"; exit 1; }
+          [[ "$(cat ~/.cache/test-migration/test-file.txt)" == "github-content" ]] || { echo "ERROR: unexpected content, not restored from GitHub"; exit 1; }
+          rm -rf ~/.cache/test-migration  # prevent saving to S3 so other scenarios don't find it
+
+  # Scenario 2: S3 backend with import mode explicitly disabled
+  test-s3-import-disabled:
+    needs: provision-github-cache
+    runs-on: github-ubuntu-latest-s
+    name: "S3 + import disabled (migration complete)"
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Cache without migration fallback
+        id: cache
+        uses: ./
+        with:
+          path: ~/.cache/test-migration
+          key: test-migration-gh
+          environment: dev
+          backend: s3
+          import-github-cache: 'false'
+      - name: Verify no import from GitHub
+        run: |
+          [[ "${{ steps.cache.outputs.cache-hit }}" != "true" ]] || { echo "ERROR: cache-hit is true but import should be disabled"; exit 1; }
+          test ! -f ~/.cache/test-migration/test-file.txt || { echo "ERROR: cache content was restored but import should be disabled"; exit 1; }
+
+  # Scenario 3: S3 backend with import disabled via env var (repo variable pattern)
+  test-s3-import-disabled-via-env:
+    needs: provision-github-cache
+    runs-on: github-ubuntu-latest-s
+    name: "S3 + import disabled via env var"
+    permissions:
+      id-token: write
+      contents: read
+    env:
+      CACHE_IMPORT_GITHUB: 'false'
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Cache without migration fallback (via env)
+        id: cache
+        uses: ./
+        with:
+          path: ~/.cache/test-migration
+          key: test-migration-gh
+          environment: dev
+          backend: s3
+      - name: Verify no import from GitHub
+        run: |
+          [[ "${{ steps.cache.outputs.cache-hit }}" != "true" ]] || { echo "ERROR: cache-hit is true but import should be disabled"; exit 1; }
+          test ! -f ~/.cache/test-migration/test-file.txt || { echo "ERROR: cache content was restored but import should be disabled"; exit 1; }
+
+  # Scenario 4: S3 hit — GitHub import step must be skipped entirely
+  test-s3-hit-skips-github-import:
+    needs: [ provision-github-cache, provision-s3-cache ]
+    runs-on: github-ubuntu-latest-s
+    name: "S3 hit → no GitHub import"
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Cache (S3 hit expected, import enabled)
+        id: cache
+        uses: ./
+        with:
+          path: ~/.cache/test-migration
+          key: test-migration-s3hit
+          environment: dev
+          backend: s3
+          # import-github-cache defaults to true — S3 hit should prevent GitHub from being tried
+      - name: Verify S3 content restored, not GitHub
+        run: |
+          [[ "${{ steps.cache.outputs.cache-hit }}" == "true" ]] || { echo "ERROR: expected S3 hit"; exit 1; }
+          [[ "$(cat ~/.cache/test-migration/test-file.txt)" == "s3-content" ]] || { echo "ERROR: unexpected content — GitHub import may have overridden S3"; exit 1; }