dbt-databricks/.github/workflows/warmDepsCache.yml at 2bb172c08c0563b0123c29c800c679ee54ea3bbd · databricks/dbt-databricks · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
# Warm Python Dependency Cache
#
# Pre-downloads all Python dependencies via JFrog Artifactory and saves them
# to the GitHub Actions cache. PR workflows (including fork PRs, which cannot
# authenticate to JFrog) restore this cache and build fully offline.
#
# Triggers:
#   - push to main when dependency files change (keeps cache fresh)
#   - daily schedule (prevents 7-day GitHub Actions cache eviction)
#   - manual dispatch (with optional PR number to warm cache for a fork's deps)

name: Warm Python Dependency Cache

on:
  push:
    branches: [main]
    paths:
      - "uv.lock"
      - "pyproject.toml"
      - ".pre-commit-config.yaml"
  pull_request: # TEMPORARY: remove after testing
  schedule:
    - cron: "0 6 * * *" # Daily at 06:00 UTC
  workflow_dispatch:
    inputs:
      pr_number:
        description: "PR number to warm cache for (reads lockfiles from the PR branch). Leave empty to warm from main."
        required: false
        type: string

permissions:
  id-token: write
  contents: read
  pull-requests: read

jobs:
  warm-cache:
    runs-on:
      group: databricks-protected-runner-group
      labels: linux-ubuntu-latest

    env:
      UV_FROZEN: "1"
      # Pin cache dir so setup-uv doesn't override it to a temp path.
      # Must match the path in setup-python-deps/action.yml cache restore.
      UV_CACHE_DIR: /home/runner/.cache/uv

    steps:
      - name: Checkout main branch
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

      - name: Overlay PR dependency files
        if: inputs.pr_number != ''
        shell: bash
        run: |
          set -euo pipefail

          PR_DATA=$(curl -sLS \
            -H "Accept: application/vnd.github+json" \
            -H "Authorization: Bearer ${{ github.token }}" \
            "https://api.github.com/repos/${{ github.repository }}/pulls/${{ inputs.pr_number }}")

          FORK_REPO=$(echo "$PR_DATA" | jq -r '.head.repo.full_name')
          FORK_REF=$(echo "$PR_DATA" | jq -r '.head.ref')

          echo "Warming cache for PR #${{ inputs.pr_number }} from ${FORK_REPO}@${FORK_REF}"

          # Fetch only lockfiles from the fork — .github/actions/ always
          # comes from main to prevent code injection from forks.
          git remote add fork "https://github.com/${FORK_REPO}.git"
          git fetch --depth=1 fork "${FORK_REF}"
          git checkout FETCH_HEAD -- uv.lock pyproject.toml .pre-commit-config.yaml

      - name: Setup JFrog PyPI Proxy
        uses: ./.github/actions/setup-jfrog-pypi

      - name: Set up Python
        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
        with:
          python-version: "3.10"

      - name: Install uv
        uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a # v4

      - name: Install Hatch
        uses: pypa/hatch@257e27e51a6a5616ed08a39a408a21c35c9931bc # install

      - name: Install Python versions for test matrix
        run: uv python install 3.10 3.11 3.12 3.13

      - name: Create all hatch environments (populates uv cache)
        run: |
          set -euo pipefail
          hatch env create default
          hatch env create test.py3.10
          hatch env create test.py3.11
          hatch env create test.py3.12
          hatch env create test.py3.13
          hatch env create verify

      - name: Warm pre-commit cache
        run: hatch run pre-commit install-hooks

      - name: Build and warm pip cache for verify environment
        run: |
          set -euo pipefail
          hatch -v build
          # Run verify to populate ~/.cache/pip/ with runtime transitive deps.
          # Allow failure — we only care about populating the cache.
          hatch run verify:check-all || true

      - name: Generate cache key
        id: cache-key
        shell: bash
        run: |
          # Hash first so consumers can prefix-match on the hash alone.
          # Timestamp suffix ensures each run creates a new immutable entry;
          # consumers pick the latest timestamp for a given hash.
          TIMESTAMP=$(date -u +%Y%m%d%H%M%S)
          LOCK_HASH="${{ hashFiles('uv.lock', 'pyproject.toml') }}"
          echo "python-deps-key=python-deps-${LOCK_HASH}-${TIMESTAMP}" >> "$GITHUB_OUTPUT"

          PRECOMMIT_HASH="${{ hashFiles('.pre-commit-config.yaml') }}"
          echo "pre-commit-key=pre-commit-deps-${PRECOMMIT_HASH}-${TIMESTAMP}" >> "$GITHUB_OUTPUT"

      - name: Save uv and pip cache
        uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
        with:
          path: |
            ~/.cache/uv
            ~/.cache/pip
          key: ${{ steps.cache-key.outputs.python-deps-key }}

      - name: Save pre-commit cache
        uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
        with:
          path: ~/.cache/pre-commit
          key: ${{ steps.cache-key.outputs.pre-commit-key }}