Commit 2026-02-13 17:17 2446f25f

View on Github →

ci: Push to cache in a separate job to isolate secrets (#34847) Stage cache artifacts in the build job and upload them in a separate job. The motivation is to only ever use the cache secrets in the upload job. Changes:

Add cache-artifact staging support to lake exe cache:
- stage-unpacked --staging-dir=<dir> - Packs any unpacked cache entries (i.e., ones not yet in .ltar form) into .ltar files and copies those .ltars into <dir>. Not very useful outside of our CI, but it could be used for p2p sharing of cache artifacts.
- put-staged --staging-dir=<dir> [ARGS] Uploads all .ltar files found in <dir> to the cache server. No packing happens here: the point is to be able to just run this on the 'publishing' job with the artifact produced before.
- unstage --staging-dir=<dir> Copies absent .ltar files from <dir> into the local cache directory. Useful to consume the PR artifact locally if downloaded manually.
- unstage! --staging-dir=<dir>. Same as unstage, but overwrites existing .ltar files in the local cache.
Update CI to stage .ltar files on the build runner, upload them as a cache-staging artifact only if non‑empty, and upload to Azure in a new upload_cache job that holds secrets.

Estimated changes

Modified .github/workflows/build_template.yml

Modified Cache/Main.lean

added def parseNamedOpt

deleted def parseRepo

Modified Cache/Requests.lean

added def Cache.Requests.copyCmd

modified def Cache.Requests.mkPutConfigContent

added def Cache.Requests.putFilesAbsolute

added def Cache.Requests.stageFiles

added def Cache.Requests.unstageFiles