fix: avoid cache busting through headers in github api calls

Author: wdconinc

.ci/resolve_git_ref

@@ -0,0 +1,101 @@
+#!/bin/sh
+# Resolve git refs (branches, tags, or commit SHAs) to full commit SHAs
+#
+# Usage:
+#   resolve_git_ref <repo> <ref>
+#   resolve_git_ref eic/edm4eic main
+#   resolve_git_ref eic/epic v24.11.0
+#   resolve_git_ref eic/eicrecon abc123def456...
+#
+# Exit codes:
+#   0 - Success (ref resolved or already a SHA)
+#   1 - Invalid arguments or ref not found
+
+set -e
+
+# Show usage if no arguments or --help
+if [ $# -eq 0 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
+  cat >&2 << 'USAGE'
+Usage: resolve_git_ref <repo> <ref>
+
+Resolves a git reference (branch, tag, or commit SHA) to a full commit SHA.
+
+Arguments:
+  repo        Git repository, in the format org/repo (e.g., eic/edm4eic)
+  ref         Git reference: branch name, tag name, or commit SHA
+
+Examples:
+  # Resolve branch to SHA
+  resolve_git_ref eic/edm4eic main
+
+  # Resolve tag to SHA
+  resolve_git_ref eic/epic v24.11.0
+
+  # Return commit SHA as-is
+  resolve_git_ref eic/eicrecon abc123def456...
+
+Exit codes:
+  0 - Success (SHA printed to stdout)
+  1 - Error (message printed to stderr)
+USAGE
+  exit 1
+fi
+
+# Require exactly 2 arguments
+if [ $# -ne 2 ]; then
+  echo "Error: Expected 2 arguments, got $#" >&2
+  echo "Run 'resolve_git_ref --help' for usage" >&2
+  exit 1
+fi
+
+repo_url="https://github.com/${1}.git"
+ref="${2}"
+
+# Handle empty ref
+if [ -z "${ref}" ]; then
+  echo "Error: ref argument is empty" >&2
+  exit 1
+fi
+
+# If it's already a commit SHA (7-40 hex characters), return as-is
+# Full SHAs are 40 chars, but short SHAs (7+) are also valid
+# POSIX-compliant check: use case statement for pattern matching
+case "${ref}" in
+  *[!0-9a-f]*)
+    # Contains non-hex characters, not a SHA
+    ;;
+  *)
+    # All hex characters, check length
+    ref_len=${#ref}
+    if [ "${ref_len}" -ge 7 ] && [ "${ref_len}" -le 40 ]; then
+      echo "${ref}"
+      exit 0
+    fi
+    ;;
+esac
+
+# Try to resolve as branch
+sha=$(git ls-remote "${repo_url}" "refs/heads/${ref}" 2>/dev/null | cut -f1)
+if [ -n "${sha}" ]; then
+  echo "${sha}"
+  exit 0
+fi
+
+# Try to resolve as tag
+sha=$(git ls-remote "${repo_url}" "refs/tags/${ref}" 2>/dev/null | cut -f1)
+if [ -n "${sha}" ]; then
+  echo "${sha}"
+  exit 0
+fi
+
+# Try to resolve as annotated tag (^{} dereferences to commit)
+sha=$(git ls-remote "${repo_url}" "refs/tags/${ref}^{}" 2>/dev/null | cut -f1)
+if [ -n "${sha}" ]; then
+  echo "${sha}"
+  exit 0
+fi
+
+# Unable to resolve
+echo "Error: Unable to resolve ref '${ref}' in repository '${repo_url}'" >&2
+echo "Ref must be a valid branch name, tag name, or commit SHA" >&2
+exit 1

.github/workflows/build-push.yml

@@ -82,7 +82,7 @@ jobs:
         run: |
           source spack.sh
           echo "orgrepo=${SPACK_ORGREPO}" | tee -a $GITHUB_OUTPUT
-          echo "version=${SPACK_VERSION}" | tee -a $GITHUB_OUTPUT
+          echo "version=$(.ci/resolve_git_ref ${SPACK_ORGREPO} ${SPACK_VERSION})" | tee -a $GITHUB_OUTPUT
           echo "cherrypicks=${SPACK_CHERRYPICKS//$'\n'/ }" | tee -a $GITHUB_OUTPUT
           echo "cherrypicks_files=${SPACK_CHERRYPICKS_FILES//$'\n'/ }" | tee -a $GITHUB_OUTPUT
       - name: Load spack-packages version and cherry-picks
@@ -91,21 +91,21 @@ jobs:
         run: |
           source spack-packages.sh
           echo "orgrepo=${SPACKPACKAGES_ORGREPO}" | tee -a $GITHUB_OUTPUT
-          echo "version=${SPACKPACKAGES_VERSION}" | tee -a $GITHUB_OUTPUT
+          echo "version=$(.ci/resolve_git_ref ${SPACKPACKAGES_ORGREPO} ${SPACKPACKAGES_VERSION})" | tee -a $GITHUB_OUTPUT
           echo "cherrypicks=${SPACKPACKAGES_CHERRYPICKS//$'\n'/ }" | tee -a $GITHUB_OUTPUT
           echo "cherrypicks_files=${SPACKPACKAGES_CHERRYPICKS_FILES//$'\n'/ }" | tee -a $GITHUB_OUTPUT
       - name: Load key4hep-spack version
         id: key4hep-spack
         run: |
           source key4hep-spack.sh
           echo "orgrepo=${KEY4HEPSPACK_ORGREPO}" | tee -a $GITHUB_OUTPUT
-          echo "version=${KEY4HEPSPACK_VERSION}" | tee -a $GITHUB_OUTPUT
+          echo "version=$(.ci/resolve_git_ref ${KEY4HEPSPACK_ORGREPO} ${KEY4HEPSPACK_VERSION})" | tee -a $GITHUB_OUTPUT
       - name: Load eic-spack version
         id: eic-spack
         run: |
           source eic-spack.sh
           echo "orgrepo=${EICSPACK_ORGREPO}" | tee -a $GITHUB_OUTPUT
-          echo "version=${EICSPACK_VERSION}" | tee -a $GITHUB_OUTPUT
+          echo "version=$(.ci/resolve_git_ref ${EICSPACK_ORGREPO} ${EICSPACK_VERSION})" | tee -a $GITHUB_OUTPUT
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
         with:

.gitlab-ci.yml

@@ -315,17 +315,17 @@ base:
                    --build-arg BASE_IMAGE=${BASE_IMAGE}
                    --build-arg BUILD_IMAGE=${BUILD_IMAGE}
                    --build-arg SPACK_ORGREPO=${SPACK_ORGREPO}
-                   --build-arg SPACK_VERSION=${SPACK_VERSION}
+                   --build-arg SPACK_VERSION=$(sh .ci/resolve_git_ref "${SPACK_ORGREPO}" "${SPACK_VERSION}")
                    --build-arg SPACK_CHERRYPICKS="${SPACK_CHERRYPICKS}"
                    --build-arg SPACK_CHERRYPICKS_FILES="${SPACK_CHERRYPICKS_FILES}"
                    --build-arg SPACKPACKAGES_ORGREPO=${SPACKPACKAGES_ORGREPO}
-                   --build-arg SPACKPACKAGES_VERSION=${SPACKPACKAGES_VERSION}
+                   --build-arg SPACKPACKAGES_VERSION=$(sh .ci/resolve_git_ref "${SPACKPACKAGES_ORGREPO}" "${SPACKPACKAGES_VERSION}")
                    --build-arg SPACKPACKAGES_CHERRYPICKS="${SPACKPACKAGES_CHERRYPICKS}"
                    --build-arg SPACKPACKAGES_CHERRYPICKS_FILES="${SPACKPACKAGES_CHERRYPICKS_FILES}"
                    --build-arg KEY4HEPSPACK_ORGREPO=${KEY4HEPSPACK_ORGREPO}
-                   --build-arg KEY4HEPSPACK_VERSION=${KEY4HEPSPACK_VERSION}
+                   --build-arg KEY4HEPSPACK_VERSION=$(sh .ci/resolve_git_ref "${KEY4HEPSPACK_ORGREPO}" "${KEY4HEPSPACK_VERSION}")
                    --build-arg EICSPACK_ORGREPO=${EICSPACK_ORGREPO}
-                   --build-arg EICSPACK_VERSION=${EICSPACK_VERSION}
+                   --build-arg EICSPACK_VERSION=$(sh .ci/resolve_git_ref "${EICSPACK_ORGREPO}" "${EICSPACK_VERSION}")
                    --build-arg jobs=${JOBS}
                    --provenance false
                    containers/debian
@@ -449,16 +449,16 @@ eic:
                    --build-arg EIC_CONTAINER_VERSION=${EXPORT_TAG}-${BUILD_TYPE}-$(git rev-parse HEAD)
                    --build-arg CI_COMMIT_SHA=${CI_COMMIT_SHA}
                    ${IF_BUILD_DEFAULT+
-                     ${EDM4EIC_VERSION:+--build-arg EDM4EIC_VERSION=${EDM4EIC_VERSION}}
-                     ${EICRECON_VERSION:+--build-arg EICRECON_VERSION=${EICRECON_VERSION}}
-                     ${EPIC_VERSION:+--build-arg EPIC_VERSION=${EPIC_VERSION}}
-                     ${JUGGLER_VERSION:+--build-arg JUGGLER_VERSION=${JUGGLER_VERSION}}
+                     ${EDM4EIC_VERSION:+--build-arg EDM4EIC_VERSION=$(sh .ci/resolve_git_ref eic/EDM4eic ${EDM4EIC_VERSION})}
+                     ${EICRECON_VERSION:+--build-arg EICRECON_VERSION=$(sh .ci/resolve_git_ref eic/EICrecon ${EICRECON_VERSION})}
+                     ${EPIC_VERSION:+--build-arg EPIC_VERSION=$(sh .ci/resolve_git_ref eic/epic ${EPIC_VERSION})}
+                     ${JUGGLER_VERSION:+--build-arg JUGGLER_VERSION=$(sh .ci/resolve_git_ref eic/juggler ${JUGGLER_VERSION})}
                    }
                    ${IF_BUILD_NIGHTLY+
-                     --build-arg EDM4EIC_VERSION=${EDM4EIC_VERSION:-main}
-                     --build-arg EICRECON_VERSION=${EICRECON_VERSION:-main}
-                     --build-arg EPIC_VERSION=${EPIC_VERSION:-main}
-                     --build-arg JUGGLER_VERSION=${JUGGLER_VERSION:-main}
+                     --build-arg EDM4EIC_VERSION=$(sh .ci/resolve_git_ref eic/EDM4eic ${EDM4EIC_VERSION:-main})
+                     --build-arg EICRECON_VERSION=$(sh .ci/resolve_git_ref eic/EICrecon ${EICRECON_VERSION:-main})
+                     --build-arg EPIC_VERSION=$(sh .ci/resolve_git_ref eic/epic ${EPIC_VERSION:-main})
+                     --build-arg JUGGLER_VERSION=$(sh .ci/resolve_git_ref eic/juggler ${JUGGLER_VERSION:-main})
                    }
                    --build-arg ENV=${ENV}
                    --build-arg jobs=${JOBS}

containers/debian/Dockerfile

@@ -160,8 +160,11 @@ ARG SPACK_VERSION="develop"
 ENV SPACK_PYTHON=/usr/bin/python3
 ARG SPACK_CHERRYPICKS=""
 ARG SPACK_CHERRYPICKS_FILES=""
-ADD https://api.github.com/repos/${SPACK_ORGREPO}/commits/${SPACK_VERSION} /tmp/spack.json
+# Dockerfile ADD --keep-git-dir clones a shallow copy preventing cherry-picking
+#ADD --keep-git-dir https://github.com/${SPACK_ORGREPO}.git#${SPACK_VERSION} ${SPACK_ROOT}
+# so we git clone the default branch and checkout the specific commit
 RUN <<EOF
+set -e
 git clone --filter=tree:0 https://github.com/${SPACK_ORGREPO}.git ${SPACK_ROOT}
 git -C ${SPACK_ROOT} checkout ${SPACK_VERSION}
 if [ -n "${SPACK_CHERRYPICKS}" ] ; then
@@ -194,7 +197,9 @@ ARG SPACKPACKAGES_ORGREPO="spack/spack-packages"
 ARG SPACKPACKAGES_VERSION="develop"
 ARG SPACKPACKAGES_CHERRYPICKS=""
 ARG SPACKPACKAGES_CHERRYPICKS_FILES=""
-ADD https://api.github.com/repos/${SPACKPACKAGES_ORGREPO}/commits/${SPACKPACKAGES_VERSION} /tmp/spack-packages.json
+# Dockerfile ADD --keep-git-dir clones a shallow copy preventing cherry-picking
+#ADD --keep-git-dir https://github.com/${SPACKPACKAGES_ORGREPO}.git#${SPACKPACKAGES_VERSION} ${SPACKPACKAGES_ROOT}
+# so we git clone the default branch and checkout the specific commit
 RUN <<EOF
 set -e
 git clone --filter=tree:0 https://github.com/${SPACKPACKAGES_ORGREPO}.git ${SPACKPACKAGES_ROOT}
@@ -247,14 +252,14 @@ spack mirror add --scope site --unsigned ghcr-${SPACK_VERSION} oci://ghcr.io/eic
 spack mirror list
 EOF
 
-## Setup key4hep-spack
+## Setup key4hep-spack (no need for cherry-picks)
 ENV KEY4HEPSPACK_ROOT=${SPACKPACKAGES_ROOT}/repos/key4hep-spack
 ARG KEY4HEPSPACK_ORGREPO="key4hep/key4hep-spack"
 ARG KEY4HEPSPACK_VERSION="main"
 ADD https://github.com/${KEY4HEPSPACK_ORGREPO}.git#${KEY4HEPSPACK_VERSION} ${KEY4HEPSPACK_ROOT}
 RUN spack repo add --scope site "${KEY4HEPSPACK_ROOT}"
 
-## Setup eic-spack
+## Setup eic-spack (no need for cherry-picks)
 ENV EICSPACK_ROOT=${SPACKPACKAGES_ROOT}/repos/eic-spack
 ARG EICSPACK_ORGREPO="eic/eic-spack"
 ARG EICSPACK_VERSION="develop"

containers/eic/Dockerfile

@@ -165,33 +165,25 @@ ARG EDM4EIC_VERSION="8aeb507f93a93257c99985efbce0ec1371e0b331"
 ARG EICRECON_VERSION="28108da4a1e8919a05dfdb5f11e114800a2cbe96"
 ARG EPIC_VERSION="c1827f05430b2051df8a0b421db1cbab87165e0b"
 ARG JUGGLER_VERSION="df87bf1f8643afa8e80bece9d36d6dc26dfe8132"
-ADD https://api.github.com/repos/eic/edm4eic/commits/${EDM4EIC_VERSION} /tmp/edm4eic.json
-ADD https://api.github.com/repos/eic/eicrecon/commits/${EICRECON_VERSION} /tmp/eicrecon.json
-ADD https://api.github.com/repos/eic/epic/commits/${EPIC_VERSION} /tmp/epic.json
-ADD https://api.github.com/repos/eic/juggler/commits/${JUGGLER_VERSION} /tmp/juggler.json
 
 # Concretization (custom environment)
 RUN <<EOF
 set -e
 spack env activate --dir ${SPACK_ENV}
 if [ "${EDM4EIC_VERSION}" != "8aeb507f93a93257c99985efbce0ec1371e0b331" ] ; then
-  export EDM4EIC_VERSION=$(jq -r .sha /tmp/edm4eic.json)
   sed -i "/# EDM4EIC_VERSION$/ s/@[^' ]*/@git.${EDM4EIC_VERSION}=main/" /opt/spack-environment/packages.yaml
   spack deconcretize -y --all edm4eic
 fi
 if [ "${EICRECON_VERSION}" != "28108da4a1e8919a05dfdb5f11e114800a2cbe96" ] ; then
-  export EICRECON_VERSION=$(jq -r .sha /tmp/eicrecon.json)
   sed -i "/# EICRECON_VERSION$/ s/@[^' ]*/@git.${EICRECON_VERSION}=main/" /opt/spack-environment/packages.yaml
   spack deconcretize -y --all eicrecon
 fi
 if [ "${EPIC_VERSION}" != "c1827f05430b2051df8a0b421db1cbab87165e0b" ] ; then
-  export EPIC_VERSION=$(jq -r .sha /tmp/epic.json)
   sed -i "/# EPIC_VERSION$/ s/epic\s/epic@git.${EPIC_VERSION}=main /" /opt/spack-environment/${ENV}/spack.yaml
   sed -i "/# EPIC_VERSION$/ s/epic@main\s/epic@git.${EPIC_VERSION}=main /" /opt/spack-environment/${ENV}/spack.yaml
   spack deconcretize -y --all epic
 fi
 if [ "${JUGGLER_VERSION}" != "df87bf1f8643afa8e80bece9d36d6dc26dfe8132" ] ; then
-  export JUGGLER_VERSION=$(jq -r .sha /tmp/juggler.json)
   sed -i "/# JUGGLER_VERSION$/ s/@[^' ]*/@git.${JUGGLER_VERSION}=main/" /opt/spack-environment/packages.yaml
   spack deconcretize -y --all juggler
 fi