Skip to content

workflows: fix node-gyp S3 path, swap softprops for gh CLI, add CloudFront check#18

Draft
harshita-gupta wants to merge 1 commit intomainfrom
harshitagupta/node-gyp-s3-followups
Draft

workflows: fix node-gyp S3 path, swap softprops for gh CLI, add CloudFront check#18
harshita-gupta wants to merge 1 commit intomainfrom
harshitagupta/node-gyp-s3-followups

Conversation

@harshita-gupta
Copy link
Copy Markdown
Member

@harshita-gupta harshita-gupta commented Apr 21, 2026

Summary

Five follow-up corrections to #17 based on post-merge audit findings:

  1. Move S3 upload from node-gyp/* to node/gyp/*.
    The asana-oss-cache bucket is BlockPublicAccess-enabled; Mac dev laptops read via CloudFront (asana-oss-cache.asana.biz, per the Bazel URL rewriter in tools/bzl/config/external_bazel_downloader.cfg). CloudFront only serves paths listed in path_patterns (codez's asana2/asana/tools/terraform/general/buildinfra/system_packages.tf), which includes node/* but NOT node-gyp/*. The previous path would have 403'd on every Mac Bazel build. Nesting under node/* reuses the existing allowlisted prefix — no Terraform change needed.

  2. Remove --acl public-read from aws s3 cp.
    The bucket has BlockPublicAcls: true AND IgnorePublicAcls: true — the ACL is silently dropped. The IAM role (S3_ACCESS_MODE.PUT) also doesn't grant PutObjectAcl. Reads go via CloudFront anyway, so the flag is misleading dead code.

  3. Replace softprops/action-gh-release with gh release upload (first-party GitHub CLI).
    gh is pre-installed on GitHub-hosted runners. Removes a third-party supply-chain dependency (softprops is a single-maintainer action). --clobber matches softprops's default overwrite behavior.

  4. Add a post-upload CloudFront reachability check.
    If the S3 key prefix ever falls outside CloudFront's path_patterns, Mac builds will silently 403. curl -fsSI against the CloudFront URL fails the workflow at upload time rather than at consumer-build time.

  5. Update stage_for_s3.bash echo text to match the new S3 path and clarify that workflow_dispatch from main is required.

Action pinning

Tag-pinned per codez convention (100% of codez workflows use tags, not SHAs).

Merge prerequisites

  • Companion codez PR (IAM role scope change) merged and z permissions iam push completed, so the IAM role's ARN scope allows node/gyp/* uploads. Without this, aws s3 cp fails with AccessDenied.

Test plan

  • Merge
  • Dispatch build-node-packages.yml from main (not from a version branch)
  • Confirm "Configure AWS credentials" step succeeds
  • Confirm "Upload packages to S3" step succeeds
  • Confirm "Verify upload is reachable via CloudFront" step returns 200 from asana-oss-cache.asana.biz
  • Record the two sha256 hashes + S3 URLs printed by the final step — these go into codez PR #388870's tools_repositories.bzl

Risks

  • If the companion codez IAM PR isn't live yet, this workflow dispatch fails at `Configure AWS credentials` — noisy but non-destructive.
  • If CloudFront's allowlist doesn't actually include `node/*` (it does per verification), the `curl -fsSI` step fails, but the S3 upload already happened. Object stays in S3 but is inaccessible to consumers. Remediation: update CloudFront `path_patterns` via Terraform.

🤖 Generated with Claude Code

@harshita-gupta @claude
Fix node-gyp S3 path, swap softprops for gh CLI, add CloudFront reach…
22846ef 
…ability check

Several follow-up corrections to PR #17:

1. Move S3 upload from `node-gyp/*` to `node/gyp/*`.
   The `asana-oss-cache` bucket is BlockPublicAccess-enabled, so Mac dev laptops
   read via CloudFront (asana-oss-cache.asana.biz, per the Bazel URL rewriter in
   tools/bzl/config/external_bazel_downloader.cfg). CloudFront only serves paths
   listed in `path_patterns` (terraform/general/buildinfra/system_packages.tf),
   which includes `node/*` but NOT `node-gyp/*`. The previous path would have
   403'd on every Mac Bazel build. Nesting under `node/*` reuses the existing
   allowlisted prefix.

2. Remove `--acl public-read` from `aws s3 cp`.
   The bucket has `BlockPublicAcls: true` AND `IgnorePublicAcls: true` — the
   ACL is silently dropped. The IAM role (S3_ACCESS_MODE.PUT) doesn't grant
   PutObjectAcl either. Reads go via CloudFront anyway, so the flag is misleading
   dead code.

3. Replace `softprops/action-gh-release` with GitHub's first-party `gh` CLI.
   `gh release upload` is pre-installed on GitHub-hosted runners, removes a
   third-party supply-chain dependency, and behaves equivalently (with --clobber).

4. Add a post-upload CloudFront reachability check (`curl -fI`).
   If the S3 key prefix ever falls outside CloudFront's path_patterns, Mac builds
   will silently 403. Failing the workflow here surfaces the issue before
   consumers hit it.

5. Update stage_for_s3.bash's echo text to match the new S3 path and clarify that
   workflow_dispatch from main is required.

Action pinning: tag-pinned per codez convention (100% of codez workflows use
tags, not SHAs).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@harshita-gupta