feat: repo scoping

Author: LouisHaftmann

lib/api/cache-entries.ts

@@ -47,6 +47,7 @@ export const cacheEntriesRouter = base
             .optional()
             .describe('Optional fallback keys to try if the primary key does not match'),
           scopes: z.array(z.string()).describe('Scopes to search within, checked in order'),
+          repoId: z.string().describe('Repository id to match the cache entry against'),
           version: z.string().describe('Cache version identifier'),
         }),
       )
@@ -67,6 +68,7 @@ export const cacheEntriesRouter = base
           keys: [input.primaryKey, ...(input.restoreKeys ?? [])],
           scopes: input.scopes,
           version: input.version,
+          repoId: input.repoId,
         })
 
         return cacheEntry ?? null
@@ -84,6 +86,7 @@ export const cacheEntriesRouter = base
           key: z.string().optional().describe('Filter by exact cache key'),
           version: z.string().optional().describe('Filter by exact cache version'),
           scope: z.string().optional().describe('Filter by exact cache scope'),
+          repoId: z.string().optional().describe('Filter by exact repository id'),
           itemsPerPage: z
             .number()
             .int()
@@ -106,6 +109,7 @@ export const cacheEntriesRouter = base
         if (input.key) query.where('key', '=', input.key)
         if (input.version) query.where('version', '=', input.version)
         if (input.scope) query.where('scope', '=', input.scope)
+        if (input.repoId) query.where('repoId', '=', input.repoId)
 
         const [cacheEntries, countResult] = await Promise.all([
           query
@@ -151,6 +155,7 @@ export const cacheEntriesRouter = base
           key: z.string().optional().describe('Filter by exact cache key'),
           version: z.string().optional().describe('Filter by exact cache version'),
           scope: z.string().optional().describe('Filter by exact cache scope'),
+          repoId: z.string().optional().describe('Filter by exact repository id'),
         }),
       )
       .handler(async ({ input, context }) => {

lib/db.ts

@@ -17,6 +17,7 @@ export const cacheEntrySchema = z.object({
   key: z.string(),
   version: z.string(),
   scope: z.string(),
+  repoId: z.string(),
   updatedAt: z.number(),
   locationId: z.string(),
 })
@@ -38,6 +39,7 @@ export const uploadSchema = z.object({
   key: z.string(),
   version: z.string(),
   scope: z.string(),
+  repoId: z.string(),
   createdAt: z.number(),
   lastPartUploadedAt: z.number().nullable(),
   startedPartUploadCount: z.number(),
@@ -55,7 +57,8 @@ export interface Database {
 const dbLogger = logger.withTag('db')
 
 export const getDatabase = createSingletonPromise(async () => {
-  if(process.env.NODE_CAGED === 'true' && env.DB_DRIVER === 'sqlite') throw new Error('SQLite is not supported with `caged` image variant.')
+  if (process.env.NODE_CAGED === 'true' && env.DB_DRIVER === 'sqlite')
+    throw new Error('SQLite is not supported with `caged` image variant.')
 
   const dialect = await match(env)
     .with({ DB_DRIVER: 'postgres' }, async (env) => {

lib/migrations.ts

@@ -114,5 +114,46 @@ export function migrations(driver: Env['DB_DRIVER']) {
         await db.schema.alterTable('uploads').dropColumn('scope').execute()
       },
     },
+    $3_repoId: {
+      async up(db) {
+        const repoIdColumnType = driver === 'mysql' ? 'varchar(255)' : 'text'
+
+        // clear all existing entries
+        const adapter = await Storage.getAdapterFromEnv()
+
+        await Promise.all([
+          db.deleteFrom('cache_entries').execute(),
+          db.deleteFrom('storage_locations').execute(),
+          db.deleteFrom('uploads').execute(),
+          adapter.clear(),
+        ])
+
+        await db.schema
+          .alterTable('cache_entries')
+          .addColumn('repoId', repoIdColumnType, (col) => col.notNull())
+          .execute()
+        await db.schema
+          .createIndex('idx_cache_entries_repoId')
+          .on('cache_entries')
+          .columns(['repoId'])
+          .execute()
+
+        await db.schema
+          .alterTable('uploads')
+          .addColumn('repoId', repoIdColumnType, (col) => col.notNull())
+          .execute()
+        await db.schema
+          .createIndex('idx_uploads_repoId')
+          .on('uploads')
+          .columns(['repoId'])
+          .execute()
+      },
+      async down(db) {
+        await db.schema.dropIndex('idx_cache_entries_repoId').execute()
+        await db.schema.alterTable('cache_entries').dropColumn('repoId').execute()
+        await db.schema.dropIndex('idx_uploads_repoId').execute()
+        await db.schema.alterTable('uploads').dropColumn('repoId').execute()
+      },
+    },
   } satisfies Record<string, Migration>
 }

lib/scope.ts

@@ -40,7 +40,7 @@ function parseJsonScopes(json: string) {
   }
 }
 
-export async function getCacheScopes(event: H3Event) {
+export async function getCacheScope(event: H3Event) {
   const token = getBearerToken(event)
   if (!token)
     throw createError({ statusCode: 401, message: 'Authorization header missing or malformed' })
@@ -61,5 +61,12 @@ export async function getCacheScopes(event: H3Event) {
   if (!hasAtLeast(scopes, 1))
     throw createError({ statusCode: 401, message: 'Token does not contain any cache scopes' })
 
-  return scopes
+  const repoId = decoded.repository_id
+  if (!repoId || typeof repoId !== 'string')
+    throw createError({ statusCode: 401, message: 'Token does not contain repository id' })
+
+  return {
+    scopes,
+    repoId,
+  }
 }

lib/storage.ts

@@ -91,12 +91,23 @@ export class Storage {
       .execute()
   }
 
-  async completeUpload(key: string, version: string, scope: string) {
+  async completeUpload({
+    key,
+    version,
+    scope,
+    repoId,
+  }: {
+    key: string
+    version: string
+    scope: string
+    repoId: string
+  }) {
     const upload = await this.db
       .selectFrom('uploads')
       .where('key', '=', key)
       .where('version', '=', version)
       .where('scope', '=', scope)
+      .where('repoId', '=', repoId)
       .selectAll()
       .executeTakeFirst()
     if (!upload) return
@@ -141,6 +152,7 @@ export class Storage {
         .where('key', '=', key)
         .where('version', '=', version)
         .where('scope', '=', scope)
+        .where('repoId', '=', repoId)
         .innerJoin('storage_locations', 'storage_locations.id', 'cache_entries.locationId')
         .select(['cache_entries.id', 'cache_entries.locationId', 'storage_locations.folderName'])
         .executeTakeFirst()
@@ -169,6 +181,7 @@ export class Storage {
             updatedAt: Date.now(),
             locationId,
             scope,
+            repoId,
           })
           .execute()
 
@@ -305,11 +318,23 @@ export class Storage {
     }
   }
 
-  async createUpload(key: string, version: string, scope: string) {
+  async createUpload({
+    key,
+    version,
+    scope,
+    repoId,
+  }: {
+    key: string
+    version: string
+    scope: string
+    repoId: string
+  }) {
     const existingUpload = await this.db
       .selectFrom('uploads')
       .where('key', '=', key)
       .where('version', '=', version)
+      .where('scope', '=', scope)
+      .where('repoId', '=', repoId)
       .select('id')
       .executeTakeFirst()
     if (existingUpload) return
@@ -324,6 +349,7 @@ export class Storage {
         key,
         version,
         scope,
+        repoId,
         lastPartUploadedAt: null,
         finishedPartUploadCount: 0,
         startedPartUploadCount: 0,
@@ -337,17 +363,20 @@ export class Storage {
     keys: [primaryKey, ...restoreKeys],
     version,
     scopes,
+    repoId,
   }: {
     keys: [string, ...string[]]
     version: string
     scopes: string[]
+    repoId: string
   }) {
     for (const scope of scopes) {
       const exactPrimaryMatch = await this.db
         .selectFrom('cache_entries')
         .where('key', '=', primaryKey)
         .where('version', '=', version)
         .where('scope', '=', scope)
+        .where('repoId', '=', repoId)
         .selectAll()
         .executeTakeFirst()
       if (exactPrimaryMatch)
@@ -361,6 +390,7 @@ export class Storage {
         .where('key', 'like', `${primaryKey}%`)
         .where('version', '=', version)
         .where('scope', '=', scope)
+        .where('repoId', '=', repoId)
         .orderBy('cache_entries.updatedAt', 'desc')
         .selectAll()
         .executeTakeFirst()
@@ -379,6 +409,7 @@ export class Storage {
           .where('key', '=', key)
           .where('version', '=', version)
           .where('scope', '=', scope)
+          .where('repoId', '=', repoId)
           .orderBy('updatedAt', 'desc')
           .selectAll()
           .executeTakeFirst()
@@ -393,6 +424,7 @@ export class Storage {
           .where('key', 'like', `${key}%`)
           .where('version', '=', version)
           .where('scope', '=', scope)
+          .where('repoId', '=', repoId)
           .orderBy('updatedAt', 'desc')
           .selectAll()
           .executeTakeFirst()

routes/twirp/github.actions.results.api.v1.CacheService/CreateCacheEntry.post.ts

@@ -1,6 +1,6 @@
 import { z } from 'zod'
 import { env } from '~/lib/env'
-import { getCacheScopes } from '~/lib/scope'
+import { getCacheScope } from '~/lib/scope'
 import { getStorage } from '~/lib/storage'
 
 const bodySchema = z.object({
@@ -9,7 +9,7 @@ const bodySchema = z.object({
 })
 
 export default defineEventHandler(async (event) => {
-  const scopes = await getCacheScopes(event)
+  const { scopes, repoId } = await getCacheScope(event)
 
   const body = (await readBody(event)) as unknown
   const parsedBody = bodySchema.safeParse(body)
@@ -26,7 +26,7 @@ export default defineEventHandler(async (event) => {
   if (!writeScope)
     throw createError({ statusCode: 403, message: 'No scope with write permission found' })
 
-  const upload = await storage.createUpload(key, version, writeScope.Scope)
+  const upload = await storage.createUpload({ key, version, scope: writeScope.Scope, repoId })
   if (!upload)
     return {
       ok: false,

routes/twirp/github.actions.results.api.v1.CacheService/FinalizeCacheEntryUpload.ts

@@ -1,5 +1,5 @@
 import { z } from 'zod'
-import { getCacheScopes } from '~/lib/scope'
+import { getCacheScope } from '~/lib/scope'
 import { getStorage } from '~/lib/storage'
 
 const bodySchema = z.object({
@@ -8,7 +8,7 @@ const bodySchema = z.object({
 })
 
 export default defineEventHandler(async (event) => {
-  const scopes = await getCacheScopes(event)
+  const { scopes, repoId } = await getCacheScope(event)
 
   const parsedBody = bodySchema.safeParse(await readBody(event))
   if (!parsedBody.success)
@@ -24,7 +24,7 @@ export default defineEventHandler(async (event) => {
   if (!writeScope)
     throw createError({ statusCode: 403, message: 'No scope with write permission found' })
 
-  const upload = await storage.completeUpload(key, version, writeScope.Scope)
+  const upload = await storage.completeUpload({ key, version, scope: writeScope.Scope, repoId })
   if (!upload)
     throw createError({
       statusCode: 404,

routes/twirp/github.actions.results.api.v1.CacheService/GetCacheEntryDownloadURL.post.ts

@@ -1,6 +1,6 @@
 import { map, pipe, prop, sortBy } from 'remeda'
 import { z } from 'zod'
-import { getCacheScopes } from '~/lib/scope'
+import { getCacheScope } from '~/lib/scope'
 import { getStorage } from '~/lib/storage'
 
 const bodySchema = z.object({
@@ -10,7 +10,7 @@ const bodySchema = z.object({
 })
 
 export default defineEventHandler(async (event) => {
-  const scopes = await getCacheScopes(event)
+  const { scopes, repoId } = await getCacheScope(event)
 
   const parsedBody = bodySchema.safeParse(await readBody(event))
   if (!parsedBody.success)
@@ -26,6 +26,7 @@ export default defineEventHandler(async (event) => {
     keys: [key, ...(restore_keys ?? [])],
     version,
     scopes: pipe(scopes, sortBy([prop('Permission'), 'desc']), map(prop('Scope'))),
+    repoId,
   })
   if (!match)
     return {

tests/e2e.test.ts

@@ -16,6 +16,7 @@ describe(`save and restore cache with @actions/cache package`, () => {
     process.env.ACTIONS_CACHE_SERVICE_V2 = 'true'
     process.env.ACTIONS_RUNTIME_TOKEN = await new SignJWT({
       ac: JSON.stringify([{ Scope: 'refs/heads/main', Permission: 3 }]),
+      repository_id: '123',
     })
       .setProtectedHeader({ alg: 'HS256' })
       .sign(crypto.createSecretKey('mock-secret-key', 'ascii'))