Fix node-gyp S3 path, swap softprops for gh CLI, add CloudFront reachability check

harshita-gupta · claude · harshita-gupta · commit 22846efc6f6f · 2026-04-20T17:31:21.000-07:00
Several follow-up corrections to PR #17: 1. Move S3 upload from `node-gyp/*` to `node/gyp/*`. The `asana-oss-cache` bucket is BlockPublicAccess-enabled, so Mac dev laptops read via CloudFront (asana-oss-cache.asana.biz, per the Bazel URL rewriter in tools/bzl/config/external_bazel_downloader.cfg). CloudFront only serves paths listed in `path_patterns` (terraform/general/buildinfra/system_packages.tf), which includes `node/*` but NOT `node-gyp/*`. The previous path would have 403'd on every Mac Bazel build. Nesting under `node/*` reuses the existing allowlisted prefix. 2. Remove `--acl public-read` from `aws s3 cp`. The bucket has `BlockPublicAcls: true` AND `IgnorePublicAcls: true` — the ACL is silently dropped. The IAM role (S3_ACCESS_MODE.PUT) doesn't grant PutObjectAcl either. Reads go via CloudFront anyway, so the flag is misleading dead code. 3. Replace `softprops/action-gh-release` with GitHub's first-party `gh` CLI. `gh release upload` is pre-installed on GitHub-hosted runners, removes a third-party supply-chain dependency, and behaves equivalently (with --clobber). 4. Add a post-upload CloudFront reachability check (`curl -fI`). If the S3 key prefix ever falls outside CloudFront's path_patterns, Mac builds will silently 403. Failing the workflow here surfaces the issue before consumers hit it. 5. Update stage_for_s3.bash's echo text to match the new S3 path and clarify that workflow_dispatch from main is required. Action pinning: tag-pinned per codez convention (100% of codez workflows use tags, not SHAs). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/.github/workflows/build-node-packages.yml b/.github/workflows/build-node-packages.yml
@@ -73,13 +73,17 @@ jobs:
           tar --hard-dereference -cvzf packages_${{matrix.arch}}.tar.gz bcrypt@5.1.0 cld@2.9.1 unix-dgram@2.0.6 "@datadog+pprof@5.8.0"
 
       - name: Upload archive to release
-        uses: softprops/action-gh-release@v1
-        with:
-          name: node-${{ env.NODE_VERSION }}-LATEST
-          tag_name: node-${{ env.NODE_VERSION }}-release
-          files: packages_${{matrix.arch}}.tar.gz
+        # Use `gh release upload` (first-party GitHub CLI, pre-installed on runners)
+        # instead of softprops/action-gh-release (one-maintainer third-party action).
+        # Behavior: --clobber overwrites an existing asset with the same name, matching
+        # softprops's default. The release must already exist (created by build-node.yml).
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh release upload "node-${{ env.NODE_VERSION }}-release" \
+            "packages_${{ matrix.arch }}.tar.gz" \
+            --clobber \
+            --repo "${{ github.repository }}"
 
       # S3 upload is restricted to the protected main branch only. The IAM role
       # (push_node_gyp_packages) trusts only refs/heads/main via OIDC. To upload
@@ -94,12 +98,37 @@ jobs:
       - name: Upload packages to S3
         if: github.ref == 'refs/heads/main'
         run: |
+          # Upload to s3://asana-oss-cache/node/gyp/... (under the `node/*` CloudFront
+          # path_patterns prefix in asana2/asana/tools/terraform/general/buildinfra/system_packages.tf).
+          # Using a bare `node-gyp/*` key would not be served by CloudFront, and Mac
+          # Bazel builds rewrite direct S3 URLs to CloudFront, so they'd 403.
+          #
+          # No --acl public-read: the bucket has BlockPublicAcls + IgnorePublicAcls,
+          # and the IAM role doesn't grant PutObjectAcl. Reads come via CloudFront.
           NODE_MAJOR=$(echo "${{ env.NODE_VERSION }}" | sed 's/^v//' | cut -d. -f1)
           SHA256=$(sha256sum "packages_${{ matrix.arch }}.tar.gz" | awk '{print $1}')
           SHORT_HASH=${SHA256:0:8}
-          S3_KEY="node-gyp/packages_${{ matrix.bazel_arch }}_node${NODE_MAJOR}-${SHORT_HASH}.tar.gz"
+          S3_KEY="node/gyp/packages_${{ matrix.bazel_arch }}_node${NODE_MAJOR}-${SHORT_HASH}.tar.gz"
           echo "Uploading packages_${{ matrix.arch }}.tar.gz to s3://asana-oss-cache/${S3_KEY}"
-          aws s3 cp "packages_${{ matrix.arch }}.tar.gz" "s3://asana-oss-cache/${S3_KEY}" --acl public-read
+          aws s3 cp "packages_${{ matrix.arch }}.tar.gz" "s3://asana-oss-cache/${S3_KEY}"
+          echo "S3_KEY=${S3_KEY}" >> "$GITHUB_ENV"
+          echo "SHA256=${SHA256}" >> "$GITHUB_ENV"
+          echo "NODE_MAJOR=${NODE_MAJOR}" >> "$GITHUB_ENV"
+
+      - name: Verify upload is reachable via CloudFront
+        if: github.ref == 'refs/heads/main'
+        run: |
+          # Mac Bazel builds rewrite asana-oss-cache.s3.us-east-1.amazonaws.com/*
+          # to asana-oss-cache.asana.biz/* (CloudFront). If the S3 key prefix isn't
+          # allowlisted in CloudFront's path_patterns, Bazel fetches will 403.
+          # Fail fast here rather than after someone tries to build.
+          URL="https://asana-oss-cache.asana.biz/${S3_KEY}"
+          echo "Checking ${URL}"
+          curl -fsSI "${URL}" || { echo "CloudFront returned an error for ${URL}. Check path_patterns in system_packages.tf."; exit 1; }
+
+      - name: Print tools_repositories.bzl stanza
+        if: github.ref == 'refs/heads/main'
+        run: |
           echo ""
           echo "=== Update tools_repositories.bzl in codez ==="
           echo "  name = \"node_gyp_packages_${{ matrix.bazel_arch }}_node${NODE_MAJOR}\","
diff --git a/stage_for_s3.bash b/stage_for_s3.bash
@@ -15,15 +15,16 @@ gh release download -p "*.xz"
 # consumed by Bazel via http_file in codez. They should NOT be mixed into the fibers archive.
 echo ""
 echo "=== Native packages (node-gyp) ==="
-echo "These are uploaded to s3://asana-oss-cache/node-gyp/ by the build-node-packages.yml workflow"
-echo "with content-hashed S3 keys. Each build produces an immutable artifact."
+echo "These are uploaded to s3://asana-oss-cache/node/gyp/ by the build-node-packages.yml workflow"
+echo "(triggered via workflow_dispatch from main) with content-hashed S3 keys."
+echo "Each build produces an immutable artifact."
 for pkg in packages_*.tar.gz; do
   if [ -f "$pkg" ]; then
     echo "  $pkg: sha256=$(sha256sum "$pkg" | awk '{print $1}')"
     rm "$pkg"
   fi
 done
-echo "No manual action needed for packages — they are already in S3."
+echo "No manual action needed for packages if you've already dispatched build-node-packages.yml from main."
 echo ""
 
 curl "https://asana-oss-cache.s3.us-east-1.amazonaws.com/node-fibers/fibers-5.0.4.pc.tgz"  --output fibers-5.0.4.tar.gz
