Merge pull request #17782 from MinaProtocol/dkijania/debian_repo_cache_fix

[CI] Fix debian caching issue when publishing

Author: dkijania

buildkite/scripts/release/manager.sh

@@ -402,8 +402,9 @@ function publish_debian() {
     local __backend=$9
     local __debian_repo=${10}
     local __arch=${11:-DEFAULT_ARCHITECTURE}
-    local __debian_sign_key=${12}
-    local __new_artifact_name=${13:-""}
+    local __force_upload_debians=${12:-0}
+    local __debian_sign_key=${13}
+    local __new_artifact_name=${14:-""}
 
     get_cached_debian_or_download $__backend $__artifact $__codename "$__network" "$__arch"
     local __artifact_full_name
@@ -443,6 +444,7 @@ function publish_debian() {
             --names "$DEBIAN_CACHE_FOLDER/$__codename/${__new_artifact_name}_${__target_version}_${__arch}.deb" \
             --version $__target_version \
             --bucket $__debian_repo \
+            "$(if [[ $__force_upload_debians == 1 ]]; then echo "--force"; fi)" \
             -c $__codename \
             -r $__channel \
             --arch $__arch \
@@ -604,6 +606,8 @@ function publish_help(){
     printf "  %-25s %s\n" "--backend" "[string] backend to use for storage. e.g gs,hetzner. default: gs";
     printf "  %-25s %s\n" "--debian-repo" "[string] debian repository to publish to. default: $DEBIAN_REPO";
     printf "  %-25s %s\n" "--debian-sign-key" "[string] debian signing key to use. default: lack of presence = no signing";
+    printf "  %-25s %s\n" "--strip-network-from-archive" "[bool] strip network from archive name. E.g mina-archive-devnet -> mina-archive";
+    printf "  %-25s %s\n" "--force-upload-debians" "[bool] force upload debian packages even if they exist already in the repository";
     echo ""
     echo "Example:"
     echo ""
@@ -636,6 +640,7 @@ function publish(){
     local __debian_sign_key=""
     local __strip_network_from_archive=0
     local __arch=${DEFAULT_ARCHITECTURE}
+    local __force_upload_debians=0
 
     while [ ${#} -gt 0 ]; do
         error_message="❌ Error: a value is needed for '$1'";
@@ -711,6 +716,10 @@ function publish(){
                 __arch=${2:?$error_message}
                 shift 2;
             ;;
+            --force-upload-debians )
+                __force_upload_debians=1
+                shift 1;
+            ;;
             * )
                 echo -e "❌ ${RED} !! Unknown option: $1${CLEAR}\n";
                 echo "";
@@ -758,6 +767,7 @@ function publish(){
     echo " - Debian sign key: $__debian_sign_key"
     echo " - Strip network from archive: $__strip_network_from_archive"
     echo " - Architecture: $__arch"
+    echo " - Force upload debians: $__force_upload_debians"
     echo ""
 
     if [[ $__backend != "gs" && $__backend != "hetzner" && $__backend != "local" ]]; then
@@ -798,6 +808,7 @@ function publish(){
                                         $__backend \
                                         $__debian_repo \
                                         "$__arch" \
+                                        "$__force_upload_debians" \
                                         "$__debian_sign_key"
                             fi
 
@@ -827,6 +838,7 @@ function publish(){
                                             $__backend \
                                             $__debian_repo \
                                             "$__arch" \
+                                            "$__force_upload_debians" \
                                             "$__debian_sign_key" \
                                             "$new_name"
                                 fi
@@ -850,6 +862,7 @@ function publish(){
                                             $__backend \
                                             $__debian_repo \
                                             "$__arch" \
+                                            "$__force_upload_debians" \
                                             "$__debian_sign_key"
                                 fi
 
@@ -872,6 +885,7 @@ function publish(){
                                             $__backend \
                                             $__debian_repo \
                                             "$__arch" \
+                                            "$__force_upload_debians" \
                                             "$__debian_sign_key"
                                 fi
 

buildkite/src/Command/Packages/Publish.dhall

@@ -229,6 +229,7 @@ let publish
                                   ++  "--target-version ${r.value} "
                                   ++  "--codenames ${codenames} "
                                   ++  "--only-dockers "
+                                  ++  "--force-upload-debians "
                                 )
                             ]
                           , label = "Docker Packages Publishing"

scripts/debian/publish.sh

@@ -7,13 +7,17 @@ RED='\033[0;31m'
 ARCH=amd64
 BUCKET=packages.o1test.net
 
+# Forcing upload debian even if it exists already
+FORCE=0
+
 while [[ "$#" -gt 0 ]]; do case $1 in
   -n|--names) DEB_NAMES="$2"; shift;;
   -a|--arch) ARCH="$2"; shift;;
   -r|--release) DEB_RELEASE="$2"; shift;;
   -v|--version) DEB_VERSION="$2"; shift;;
   -c|--codename) DEB_CODENAME="$2"; shift;;
   -b|--bucket) BUCKET="$2"; shift;;
+  -f|--force) FORCE=1;;
   -s|--sign) SIGN="$2"; shift;;
   *) echo "❌  Unknown parameter passed: $1"; exit 1;;
 esac; shift; done
@@ -34,6 +38,45 @@ function usage() {
   exit 1
 }
 
+# Invalidate CloudFront cache for the given bucket or CNAME and paths
+# This is to ensure that after uploading new debs, users don't get stale
+# package lists from CloudFront cache
+# Usage: invalidate_cache [bucket-or-cname] codename
+# Example: invalidate_cache nightly.apt.packages.minaprotocol.com bookworm
+function invalidate_cache() {
+  BUCKET_OR_CNAME="${1:-nightly.apt.packages.minaprotocol.com}"
+  PATHS_TO_INVALIDATE="/dists/$2/*"
+
+  echo "🔎 Resolving ${BUCKET_OR_CNAME}..."
+  CF_DOMAIN=$(dig +short CNAME "${BUCKET_OR_CNAME}" | sed 's/\.$//')
+  CF_DOMAIN=$(dig +short CNAME "${BUCKET_OR_CNAME}" | sed 's/\.$//')
+
+  if [[ -z "$CF_DOMAIN" ]]; then
+    echo "❌ Could not resolve ${BUCKET_OR_CNAME} to a CloudFront domain."
+    exit 1
+  fi
+
+  echo "✅ Found CloudFront domain: ${CF_DOMAIN}"
+
+  echo "📋 Searching for distribution ID in CloudFront..."
+  DIST_ID=$(aws cloudfront list-distributions \
+    --query "DistributionList.Items[?DomainName=='${CF_DOMAIN}'].Id" \
+    --output text)
+
+  if [[ -z "$DIST_ID" ]]; then
+    echo "❌ No CloudFront distribution found for domain ${CF_DOMAIN}"
+    exit 1
+  fi
+
+  echo "✅ Found CloudFront distribution ID: ${DIST_ID}"
+
+  echo "🚀 Creating invalidation for paths: ${PATHS_TO_INVALIDATE}"
+  aws cloudfront create-invalidation \
+    --distribution-id "${DIST_ID}" \
+    --paths "${PATHS_TO_INVALIDATE}"
+}
+
+
 if [[ -z "$DEB_NAMES" ]]; then usage "❌  Debian(s) to upload are not set!"; fi;
 if [[ -z "$DEB_VERSION" ]]; then usage "❌  Version is not set!"; fi;
 if [[ -z "$DEB_CODENAME" ]]; then usage "❌  Codename is not set!"; fi;
@@ -55,8 +98,6 @@ else
   GPG_OPTS=("--gpg-options=\"--batch" "--pinentry-mode=loopback" "--yes")
 fi
 
-
-
 echo "Publishing debs: ${DEB_NAMES} to Release: ${DEB_RELEASE} and Codename: ${DEB_CODENAME}"
 # Upload the deb files to s3.
 # If this fails, attempt to remove the lockfile and retry.
@@ -69,18 +110,20 @@ for _ in {1..10}; do (
 #>> Attempting to obtain a lock
 #/var/lib/gems/2.3.0/gems/deb-s3-0.10.0/lib/deb/s3/lock.rb:24:in `throw': uncaught throw #"Unable to obtain a lock after 60, giving up."
 deb-s3 upload $BUCKET_ARG $S3_REGION_ARG \
-  --fail-if-exists \
+  "$([ "$FORCE" -eq 0 ] && echo "--fail-if-exists")" \
   --lock \
   --arch $ARCH \
   --preserve-versions \
-  --cache-control=max-age=120 \
+  --cache-control "no-store,no-cache,must-revalidate" \
   $SIGN_ARG \
   --component "${DEB_RELEASE}" \
   --codename "${DEB_CODENAME}" \
   "${GPG_OPTS[@]}" \
   "${DEB_NAMES}"
 ) && break || (MINA_DEB_BUCKET=${BUCKET} scripts/debian/clear-s3-lockfile.sh); done
 
+invalidate_cache "$BUCKET" "$DEB_CODENAME"
+
 for deb in $DEB_NAMES
 do
   # extracting name from debian package path. E.g: