.github: make cigocacher script more robust

We got a flake in https://github.com/tailscale/tailscale/actions/runs/19867229792/job/56933249360 but it's not obvious to me where it failed. Make it more robust and print out more useful error messages for next time. Updates tailscale/corp#10808 Change-Id: I9ca08ea1103b9ad968c9cc0c42a493981ea62435 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
2025-12-05 17:32:02 +01:00 · 2025-12-02 17:35:15 +00:00 · 2025-12-02 17:35:15 +00:00 · f8cd07fb8a
commit f8cd07fb8a
parent b8c58ca7c1
1 changed files with 36 additions and 7 deletions
--- a/.github/actions/go-cache/action.sh
+++ b/.github/actions/go-cache/action.sh
@ -17,23 +17,52 @@ if [ -z "${GITHUB_ACTIONS:-}" ]; then
    exit 1
 fi

-if [ -z "$URL" ]; then
+if [ -z "${URL:-}" ]; then
    echo "No cigocached URL is set, skipping cigocacher setup"
    exit 0
 fi

-JWT="$(curl -sSL -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=gocached" | jq -r .value)"
+curl_and_parse() {
+    local jq_filter="$1"
+    local step="$2"
+    shift 2
+    
+    local response
+    local curl_exit
+    response="$(curl -sSL "$@" 2>&1)" || curl_exit="$?"
+    if [ "${curl_exit:-0}" -ne "0" ]; then
+        echo "${step}: ${response}" >&2
+        return 1
+    fi
+    
+    local parsed
+    local jq_exit
+    parsed=$(echo "${response}" | jq -e -r "${jq_filter}" 2>&1) || jq_exit=$?
+    if [ "${jq_exit:-0}" -ne "0" ]; then
+        echo "${step}: Failed to parse JSON response:" >&2
+        echo "${response}" >&2
+        return 1
+    fi
+    
+    echo "${parsed}"
+    return 0
+}
+
+JWT="$(curl_and_parse ".value" "Fetching GitHub identity JWT" \
+    -H "Authorization: Bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" \
+    "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=gocached")" || exit 0
+
 # cigocached serves a TLS cert with an FQDN, but DNS is based on VM name.
 HOST_AND_PORT="${URL#http*://}"
 FIRST_LABEL="${HOST_AND_PORT/.*/}"
 # Save CONNECT_TO for later steps to use.
 echo "CONNECT_TO=${HOST_AND_PORT}:${FIRST_LABEL}:" >> "${GITHUB_ENV}"
 BODY="$(jq -n --arg jwt "$JWT" '{"jwt": $jwt}')"
-CIGOCACHER_TOKEN="$(curl -sSL --connect-to "$HOST_AND_PORT:$FIRST_LABEL:" -H "Content-Type: application/json" "$URL/auth/exchange-token" -d "$BODY" | jq -r .access_token || true)"
-if [ -z "$CIGOCACHER_TOKEN" ]; then
-    echo "Failed token exchange with cigocached, skipping cigocacher setup"
-    exit 0
-fi
+CIGOCACHER_TOKEN="$(curl_and_parse ".access_token" "Exchanging token with cigocached" \
+    --connect-to "${HOST_AND_PORT}:${FIRST_LABEL}:" \
+    -H "Content-Type: application/json" \
+    "$URL/auth/exchange-token" \
+    -d "$BODY")" || exit 0

 # Wait until we successfully auth before building cigocacher to ensure we know
 # it's worth building.