Centralize cache delete-and-push mechanism to one place (#1645)

* Centralize cache delete-and-push mechanism to one place

* Pin CI deps in a file, instead of the github action.

* Use a localized reinstally for pyg.

* increasing retry backoff

Signed-off-by: Kashif Rasul <kashif.rasul@gmail.com>

Author: coreyjadams

.github/CACHE_CONTRACT.md

@@ -37,7 +37,7 @@ from three independent sources: a pinned CUDA container image, a pinned
 | Invalidates when | container image or Python version changes (prefix change → new slot) |
 | Does **not** invalidate on | `uv.lock`, `pyproject.toml`, or kernel source changes (each compiler handles its own source-hash invalidation internally) |
 | Restore semantics | **fail-open**; missing cache only costs compilation time, never correctness |
-| Save semantics | nightly `testmon` job only, via delete-before-save; PR workflows restore but never save |
+| Save semantics | nightly `testmon` job only, via the `replace-cache` action; PR workflows restore but never save |
 
 The JIT compilation cache bundles all JIT compiler artifact directories
 under a single umbrella path.  Each compiler writes to a subdirectory
@@ -57,6 +57,74 @@ old ones.
 To add a new JIT backend: create a subdirectory under `$JIT_CACHE_DIR`,
 set the backend's cache-path env var in the test step, done.
 
+### Testmon database cache (`.testmondata*`)
+
+| Property | Value |
+|---|---|
+| Key | `<TESTMON_CACHE_KEY_PREFIX>-latest` |
+| Prefix encodes | nightly identity (`testmon-nightly`) |
+| Suffix | literal `latest` (mutable slot, refreshed via delete-before-save) |
+| Contents | `.testmondata`, `.testmondata-shm`, `.testmondata-wal` -- testmon's per-test dependency graph and last-run signatures |
+| Invalidates when | prefix is bumped (essentially never, by design) |
+| Does **not** invalidate on | `uv.lock` or `pyproject.toml` changes -- testmon detects changed dependency hashes itself and re-runs only the affected tests |
+| Restore semantics | **fail-open**; a miss only costs full-suite runtime, never correctness, and testmon handles stale DBs gracefully |
+| Save semantics | nightly `testmon` job only, via the `replace-cache` action with `if: always()` so partial DBs from flaky runs still publish |
+
+Historical note: the key was previously suffixed with
+`hashFiles('uv.lock', 'pyproject.toml')`.  Because GitHub Actions
+caches are immutable, two consecutive nightlies with an unchanged
+lockfile (the common case) collided on the same key, and the second
+save logged `Failed to save: Unable to reserve cache` only as a
+*warning*.  The stale DB persisted for days, PRs restored it via the
+prefix fallback, and testmon then invalidated everything because the
+realized environment had drifted away from what the cached DB
+recorded.  Switching to a `-latest` mutable slot via `replace-cache`
+fixes the save bug, and the embedded verify step turns any future
+silent save failure into a hard job failure.
+
+### Coverage baseline cache (`.coverage*`)
+
+| Property | Value |
+|---|---|
+| Key | `<COVERAGE_CACHE_KEY_PREFIX>-latest` |
+| Prefix encodes | nightly identity (`coverage-nightly`) |
+| Suffix | literal `latest` (mutable slot, refreshed via delete-before-save) |
+| Contents | parallel-mode coverage shards (`.coverage.*`) produced by the nightly's full-suite pytest run, before `coverage combine` |
+| Invalidates when | prefix is bumped |
+| Does **not** invalidate on | `uv.lock` or `pyproject.toml` changes |
+| Restore semantics | **fail-open**; PR coverage merges its own shards on top of the restored baseline |
+| Save semantics | nightly `coverage` job only, via the `replace-cache` action |
+
+Same immutable-key bug class as testmon; migrated to the `-latest`
+slot for parity.
+
+## Reusable building blocks
+
+### `replace-cache` action ([.github/actions/replace-cache/action.yml](actions/replace-cache/action.yml))
+
+All four mutable-slot caches above (uv, JIT, testmon, coverage) share
+the same delete-before-save recipe: GitHub Actions cache slots are
+immutable, so refreshing a `-latest` key requires deleting the
+existing entry, calling `actions/cache/save`, and (because the save
+silently no-ops on key collision) re-querying `gh cache list` to
+confirm the slot now exists.  The `replace-cache` composite action
+encapsulates that recipe:
+
+```yaml
+- name: Replace <some> cache
+  if: <caller-supplied gate>
+  uses: ./.github/actions/replace-cache
+  with:
+    path: <one or more paths>
+    key:  <foo>-latest
+    description: <human-readable label>
+    github-token: ${{ secrets.GITHUB_TOKEN }}
+```
+
+The verify step is on by default (`verify: "true"`).  Disable only
+when verification is genuinely undesirable; the default exists
+because silent save failures are how stale slots persist for days.
+
 ## Why no `.venv` cache
 
 A previous iteration of this pipeline also cached the realized `.venv`
@@ -114,10 +182,12 @@ Guarantees:
 - **Concurrency**: the nightly workflow declares
   `concurrency: nightly-github-uv` with `cancel-in-progress: false` so
   two overlapping runs cannot race on the static `-latest` uv cache key.
-- **Save verification**: after `actions/cache/save@v4` writes the uv
-  download cache slot, the workflow re-queries `gh cache list` to
-  confirm the entry exists. `cache/save` silently no-ops on key
-  collision; without verification a corrupted slot can persist for days.
+- **Save verification**: every mutable-slot save (uv download, JIT,
+  testmon, coverage) goes through the `replace-cache` action, which
+  re-queries `gh cache list` after `actions/cache/save` and fails the
+  job if the slot is not visible.  `cache/save` silently no-ops on
+  key collision and only logs a warning on reservation failure;
+  without verification a corrupted slot can persist for days.
 - **Lockfile-mutation guard**: [.github/actions/setup-uv-env/action.yml](actions/setup-uv-env/action.yml)
   snapshots `sha256(uv.lock)` and `sha256(pyproject.toml)` before any uv
   command runs and compares them again at the end. Any drift (caused by

.github/actions/replace-cache/action.yml

@@ -0,0 +1,122 @@
+name: Replace mutable-slot cache
+description: |
+  Save a path to a GitHub Actions cache slot under a mutable key, replacing
+  any existing entry under that key.  The actions/cache/save action is a
+  silent no-op when its key already exists (caches are immutable), so the
+  canonical recipe to "refresh" a `-latest`-style slot is delete-before-save:
+
+    1. Look up the key with `gh cache list` and `gh cache delete` it if
+       present (tolerate missing key for first runs and prefix bumps).
+    2. Save with actions/cache/save@v5.
+    3. Optionally re-query `gh cache list` to confirm the save took effect.
+       GitHub's cache index is eventually consistent, so the verify step
+       retries a few times before failing.  Without this verify step, a
+       collision that prevented the save (e.g. a concurrent writer or a
+       stale slot the delete somehow missed) would surface only as a
+       `Warning: Cache save failed.` line and a corrupted slot would
+       persist indefinitely.
+
+  This action centralises that recipe so callers can express
+  delete-before-save as a single step.  Each invocation site supplies its
+  own `if:` gate (e.g. `if: always()` or `if: <cold-cache>`) at the
+  workflow level; this action does not encode any save policy of its own.
+
+  Failure semantics: the delete tolerates a missing slot, but the save
+  itself and (when enabled) the verify step will fail the job loudly.  A
+  silent save failure on a mutable slot is exactly the bug class this
+  action exists to prevent.
+inputs:
+  path:
+    description: |
+      Cache path(s), forwarded to actions/cache/save.  Multi-line values
+      are supported with the same semantics as actions/cache.
+    required: true
+  key:
+    description: |
+      Mutable-slot cache key (e.g. `foo-latest`).  This is the slot that
+      will be deleted (if present) and then saved.
+    required: true
+  description:
+    description: |
+      Short human-readable label used in log messages, e.g. "uv download
+      cache" or "testmon database".
+    required: false
+    default: "cache"
+  verify:
+    description: |
+      When `"true"` (default), re-query `gh cache list` after the save and
+      fail the job if the slot is not visible within a few retries.  Set
+      to `"false"` only when verification is genuinely undesirable; the
+      default exists because silent save failures are how stale slots
+      persist for days.
+    required: false
+    default: "true"
+  github-token:
+    description: |
+      Token for the `gh` CLI used by the delete and verify steps.  Pass
+      the workflow's `secrets.GITHUB_TOKEN` from the calling workflow.
+    required: true
+runs:
+  using: composite
+  steps:
+    - name: Delete stale ${{ inputs.description }} entry
+      shell: bash
+      env:
+        GH_TOKEN: ${{ inputs.github-token }}
+        CACHE_KEY: ${{ inputs.key }}
+        CACHE_DESC: ${{ inputs.description }}
+        REPO: ${{ github.repository }}
+      run: |
+        set -euo pipefail
+        if ! command -v gh >/dev/null 2>&1; then
+          echo "::error::gh CLI not on PATH; cannot manage ${CACHE_DESC} slot."
+          exit 1
+        fi
+        # Use --json key + --jq for robust matching (no false positives
+        # on prefix overlap from sibling cache keys).
+        existing="$(gh cache list \
+          --repo "$REPO" \
+          --key "$CACHE_KEY" \
+          --json key \
+          --jq '.[].key' \
+          | grep -Fx "$CACHE_KEY" || true)"
+        if [ -n "$existing" ]; then
+          gh cache delete "$CACHE_KEY" --repo "$REPO"
+          echo "deleted stale ${CACHE_DESC}: $CACHE_KEY"
+        else
+          echo "no existing ${CACHE_DESC} to delete: $CACHE_KEY"
+        fi
+
+    - name: Save ${{ inputs.description }}
+      uses: actions/cache/save@v5
+      with:
+        path: ${{ inputs.path }}
+        key: ${{ inputs.key }}
+
+    # actions/cache/save@v5 silently no-ops on key collision; if the
+    # previous delete step somehow left the entry in place (or a
+    # concurrent run repopulated it), we want a hard failure now rather
+    # than a stale cache fed to tomorrow's consumer.
+    - name: Verify ${{ inputs.description }} was saved
+      if: inputs.verify == 'true'
+      shell: bash
+      env:
+        GH_TOKEN: ${{ inputs.github-token }}
+        CACHE_KEY: ${{ inputs.key }}
+        CACHE_DESC: ${{ inputs.description }}
+        REPO: ${{ github.repository }}
+      run: |
+        set -euo pipefail
+        # GitHub's cache index is eventually consistent; use linear back-off
+        # (10 s, 20 s, 30 s, 40 s, 50 s → 150 s total) before failing.
+        for attempt in 1 2 3 4 5; do
+          if gh cache list --repo "$REPO" --key "$CACHE_KEY" --json key --jq '.[].key' \
+              | grep -Fxq "$CACHE_KEY"; then
+            echo "${CACHE_DESC} present: $CACHE_KEY"
+            exit 0
+          fi
+          echo "attempt $attempt: ${CACHE_DESC} not yet visible, sleeping..."
+          sleep $((10 * attempt))
+        done
+        echo "::error::${CACHE_DESC} save did not take effect for key $CACHE_KEY"
+        exit 1

.github/actions/setup-uv-env/action.yml

@@ -166,63 +166,36 @@ runs:
         fi
 
     # --- CI-only test dependencies ----------------------------------------
-    # These modules are referenced by tests in test/ via @requires_module
-    # or pytest.importorskip but have no home in pyproject extras (either
-    # because they are pure CI test tooling like moto, or because they
-    # require special install paths like the PyG wheel index).  Installed
-    # via `uv pip install` AFTER the lockfile-mutation guard so uv.lock
-    # remains the single source of truth for the synced environment, and
-    # this step layers on top without invalidating that guarantee.
-    #
-    # Spec coupling notes:
-    #   * Pure-PyPI specs mirror Dockerfile:240-243 to keep container and
-    #     CI environments in lockstep.
-    #   * The PyG --find-links URL encodes the locked torch version (see
-    #     uv.lock entry for torch 2.11.0+cu128).  Bump the
-    #     torch-X.Y.Z+cu128 segment in lockstep when the torch pin moves
-    #     -- same hand-maintained coupling already documented for the
-    #     natten wheel index in pyproject.toml.
-    #
-    # earth2grid is intentionally NOT installed here: the source build
-    # (see Dockerfile:246 for the canonical pin) is fragile in the CI
-    # container.  HEALPix tests will continue to skip via @requires_module
-    # until earth2grid ships a wheel or the build is fixed.
-    #
-    # torch_scatter / torch_sparse / torch_cluster are pulled in as a
-    # source build via the gnns extra.  Without CUDA toolchain visible
-    # at build time uv lands the CPU-only wheel, which makes FigConvNet
-    # (and any model calling torch_scatter.segment_csr / similar on a
-    # CUDA tensor) fail with "Not compiled with CUDA support".  Force a
-    # reinstall from the PyG wheel index, which ships pre-built CUDA
-    # wheels matching the locked torch version.
+    # Test deps with no home in pyproject extras (pure CI tooling, or
+    # special install paths like the PyG wheel index) layered on top of
+    # the synced env.  Installed AFTER the lockfile-mutation guard so
+    # uv.lock remains the single source of truth for the synced
+    # environment; this step layers on top without invalidating that
+    # guarantee.  Pin list and per-pin rationale live in
+    # .github/ci-requirements.txt.
     - name: Install CI-only test dependencies
       shell: bash
       env:
         UV_LINK_MODE: copy
-        PYG_WHL_INDEX: "https://data.pyg.org/whl/torch-2.11.0+cu128.html"
-        # cuml-cu12 -> cudf -> numba caps numpy at <=2.2; uv.lock pins
-        # numpy 2.2.6 under the cu12 extra precisely for this reason.
-        # Without an explicit constraint here, uv pip install resolves
-        # transitive deps (e.g. tensorstore, pyarrow) freely and bumps
-        # numpy to 2.4.x, which crashes every test that touches cuml.
-        # Re-applying the cap on each layered install keeps numba happy.
-        NUMPY_PIN: "numpy<2.3"
       run: |
         set -euo pipefail
         echo "::group::install CI-only test dependencies"
+        # `--reinstall-package` (NOT bare `--reinstall`) is scoped to the
+        # four PyG names so we swap their CPU-only wheels (installed by
+        # `uv sync` via the `gnns` extra) for the CUDA wheels from the
+        # --find-links index baked into the requirements file.  Bare
+        # `--reinstall` would imply `--refresh` over the FULL resolved
+        # closure (~60 packages including transitive deps like pyarrow,
+        # cryptography, opentelemetry), bumping them to whatever's
+        # currently latest on PyPI and breaking ABI compatibility with
+        # the lockfile-pinned GPU stack (cudf / cuml / pylibcudf were
+        # built against the synced pyarrow ABI, etc.).
         uv pip install --python .venv/bin/python \
-          "$NUMPY_PIN" \
-          "moto[s3]>=5.0.28" \
-          "numpy-stl" \
-          "scikit-image>=0.24.0" \
-          "shapely" \
-          "multi-storage-client[boto3]>=0.33.0" \
-          "tensorstore" \
-          "pyarrow"
-        uv pip install --python .venv/bin/python --reinstall \
-          "$NUMPY_PIN" \
-          torch_scatter torch_sparse torch_cluster pyg_lib \
-          --find-links "$PYG_WHL_INDEX"
+          --reinstall-package torch_scatter \
+          --reinstall-package torch_sparse \
+          --reinstall-package torch_cluster \
+          --reinstall-package pyg_lib \
+          -r .github/ci-requirements.txt
         echo "::endgroup::"
 
     - name: Report cache sizes

.github/ci-requirements.txt

@@ -0,0 +1,61 @@
+# CI-only test dependencies layered on top of `uv sync --frozen`.
+#
+# Why a separate file (not pyproject extras):
+#   * Pure test tooling (moto) or no extras home (numpy-stl, scikit-image, ...).
+#   * PyG CUDA wheels live on a private index, not PyPI.
+#
+# Why every spec is `==`-pinned:
+#   testmon hashes site-packages content into its env fingerprint; any
+#   upstream release between the nightly that builds the testmon DB and
+#   the PR that consumes it would invalidate the entire cache.  Bumping a
+#   pin is a deliberate change: the next nightly repopulates the DB
+#   against the new fingerprint and PRs start hitting again.  Pinning
+#   here only stabilises *direct* deps; transitive churn (e.g. boto3 ->
+#   urllib3) can still trigger invalidations, in which case the next
+#   escalation is a constraints.txt passed via `uv pip install -c ...`.
+#
+# Coupling notes (bump in lockstep):
+#   * Dockerfile lines 240-243 still use `>=` lower bounds for the
+#     pure-PyPI specs; tighten in a follow-up.
+#   * The PyG --find-links URL encodes the locked torch version (see
+#     uv.lock for torch 2.11.0+cu128).  PyG wheels carry a local-version
+#     label like `2.1.2+pt211cu128`; per PEP 440 that sorts above plain
+#     `2.1.2`, so a `==2.1.2` pin selects the CUDA wheel without us
+#     hard-coding the full local segment.
+#
+# earth2grid is intentionally NOT installed: the source build is fragile
+# in the CI container.  HEALPix tests skip via @requires_module until
+# earth2grid ships a wheel or the build is fixed.
+
+# PyG CUDA wheel index.  Bump the torch-X.Y.Z+cu128 segment in lockstep
+# with the locked torch version.
+--find-links https://data.pyg.org/whl/torch-2.11.0+cu128.html
+
+# cuml-cu12 -> cudf -> numba caps numpy at <=2.2; uv.lock pins numpy
+# 2.2.6 under the cu12 extra for this reason.  Re-applied here so layered
+# installs (tensorstore, pyarrow, ...) cannot bump numpy to 2.4.x and
+# crash every test that touches cuml.
+numpy<2.3
+
+# Test tooling with no extras home.
+moto[s3]==5.2.1
+numpy-stl==3.2.0
+scikit-image==0.26.0
+shapely==2.1.2
+multi-storage-client[boto3]==0.48.0
+tensorstore==0.1.83
+pyarrow==24.0.0
+
+# PyG CUDA wheels.  The `gnns` extra installs CPU-only wheels via
+# `uv sync` (no CUDA toolchain visible at build time), which makes
+# torch_scatter.segment_csr / similar fail on CUDA tensors with
+# "Not compiled with CUDA support".  setup-uv-env passes
+# `--reinstall-package` for each of these four names so they're swapped
+# for the CUDA wheels from the --find-links index above; the rest of
+# the resolved closure is left alone (a bare `--reinstall` would refresh
+# every transitive dep too and break ABI compatibility with lockfile-
+# pinned packages like pyarrow / cudf / cuml).
+torch_scatter==2.1.2
+torch_sparse==0.6.18
+torch_cluster==1.6.3
+pyg_lib==0.6.0