Skip to content
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 10 additions & 3 deletions .github/actions/walletkit-build-and-maestro/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -480,10 +480,17 @@ runs:
with:
# find-cache-dir default (babel-loader / metro transform cache). Warming
# this across runs cuts most of the `expo export` transform time.
#
# The key hashes the written .env too: Expo inlines EXPO_PUBLIC_* into
# the bundle at Babel transform time, and Metro's transform cache is NOT
# keyed on env values — so reusing a cache built with different
# EXPO_PUBLIC_* (e.g. a caller injecting per-run ephemeral creds) bakes
# stale key/creds into the bundle. No restore-keys: any prefix fallback
# would span different .env values and re-introduce that poisoning.
# Stable-creds callers still get a full hit (identical .env => identical
# key); per-run-creds callers cold-build each run, which is correct.
path: ${{ steps.paths.outputs.wallet_root }}/node_modules/.cache
key: ${{ runner.os }}-web-metro-${{ hashFiles(format('{0}/yarn.lock', steps.paths.outputs.wallet_root)) }}
restore-keys: |
${{ runner.os }}-web-metro-
key: ${{ runner.os }}-web-metro-${{ hashFiles(format('{0}/yarn.lock', steps.paths.outputs.wallet_root), format('{0}/.env', steps.paths.outputs.wallet_root)) }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 Auto Review Issue: Per-run-creds callers accumulate unreusable cache entries on every run

Severity: LOW
Category: performance
Tool: Claude Auto Review

Context:

  • Pattern: actions/cache@v4 always saves the cache in its post-step when the restore key missed. For callers with rotating EXPO_PUBLIC_*, every run produces a unique .env hash → perpetual miss → perpetual save of a cache entry that will never be reused.
  • Risk: Callers' GitHub Actions cache fills with one-shot entries at ~the transform cache size per run (typically tens to hundreds of MB). GitHub evicts entries not accessed in 7 days, so the churn is bounded, but active CI pipelines will permanently occupy significant cache quota.
  • Impact: Wasted cache quota in external caller repos; no correctness impact.
  • Trigger: Any caller injecting per-run ephemeral credentials (the scenario this PR targets).

Recommendation: Split into restore + conditional save using the v4 separate actions, or add a save-cache input (default true) to let callers opt out of saving when they know their key will never repeat:

- uses: actions/cache/restore@v4   # restore only
  with:
    path: ...
    key: ${{ runner.os }}-web-metro-${{ hashFiles(...) }}

# only save when not using ephemeral creds (caller sets input)
- if: inputs.save-web-metro-cache != 'false'
  uses: actions/cache/save@v4
  with:
    path: ...
    key: ${{ runner.os }}-web-metro-${{ hashFiles(...) }}

This is a follow-up improvement, not a blocker for merging — the current behavior is safe and correct.


- name: Export web build
if: inputs.platform == 'web'
Expand Down
Loading