SRE-134: Configure sccache with Cloudflare R2 for Rust caching (#8039)

Author: indietyp

.github/actions/install-sccache/action.yml

@@ -1,21 +1,49 @@
 name: Install sccache
 description: Setup sccache for Rust project caching
+inputs:
+  vault_address:
+    description: The URL of the Vault server
+    required: true
 
 runs:
   using: composite
   steps:
+    - name: Retrieve secrets
+      id: secrets
+      uses: hashicorp/vault-action@4c06c5ccf5c0761b6029f56cfb1dcf5565918a3b # v3.4.0
+      with:
+        exportToken: true
+        url: ${{ inputs.vault_address }}
+        method: jwt
+        role: dev
+        secrets: |
+          infrastructure/data/github/actions/secrets sccache_r2_account_id | SCCACHE_ACCOUNT_ID ;
+          infrastructure/data/github/actions/secrets sccache_r2_bucket | SCCACHE_BUCKET ;
+          infrastructure/data/github/actions/secrets sccache_r2_access_key_id | SCCACHE_AWS_ACCESS_KEY_ID ;
+          infrastructure/data/github/actions/secrets sccache_r2_secret_access_key | SCCACHE_AWS_SECRET_ACCESS_KEY ;
+
     - name: Setup sccache
       uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9
 
-    - name: Configure sccache
-      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
-      with:
-        script: |
-          core.exportVariable('ACTIONS_RESULTS_URL', process.env.ACTIONS_RESULTS_URL || '');
-          core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || '');
+    - name: Start sccache server
+      env:
+        SCCACHE_BUCKET: ${{ env.SCCACHE_BUCKET }}
+        SCCACHE_ENDPOINT: https://${{ env.SCCACHE_ACCOUNT_ID }}.r2.cloudflarestorage.com
+        SCCACHE_REGION: auto
+        SCCACHE_LOG: debug
+        SCCACHE_ERROR_LOG: /tmp/sccache.log
+        SCCACHE_S3_USE_SSL: "true"
+        SCCACHE_S3_KEY_PREFIX: "hashintel/hash/"
+        SCCACHE_S3_SERVER_SIDE_ENCRYPTION: "false"
+        SCCACHE_S3_ENABLE_VIRTUAL_HOST_STYLE: "false"
+        AWS_ACCESS_KEY_ID: ${{ env.SCCACHE_AWS_ACCESS_KEY_ID }}
+        AWS_SECRET_ACCESS_KEY: ${{ env.SCCACHE_AWS_SECRET_ACCESS_KEY }}
+        AWS_EC2_METADATA_DISABLED: "true"
+      shell: bash
+      run: |
+        sccache --start-server
 
     - name: Inject sccache variables into environment
       shell: bash
       run: |
-        echo "SCCACHE_GHA_ENABLED=true" >> $GITHUB_ENV
         echo "RUSTC_WRAPPER=${SCCACHE_PATH}" >> $GITHUB_ENV

.github/actions/install-tools/action.yml

@@ -5,6 +5,9 @@ inputs:
   token:
     description: GitHub token for authentication
     required: true
+  vault_address:
+    description: The URL of the Vault server
+    required: true
   rust:
     description: Should Rust be installed? Can either be `"true"` or `true`
     default: "true"
@@ -43,3 +46,5 @@ runs:
     - name: "Install sccache"
       if: ${{ inputs.rust == true || inputs.rust == 'true' }}
       uses: ./.github/actions/install-sccache
+      with:
+        vault_address: ${{ inputs.vault_address }}

.github/workflows/ai-pr-review.yml

@@ -121,6 +121,8 @@ jobs:
     needs: check-conditions
     if: needs.check-conditions.outputs.should_review == 'true'
     runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
     steps:
       - name: Checkout source code
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -131,6 +133,7 @@ jobs:
         uses: ./.github/actions/install-tools
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+          vault_address: ${{ secrets.VAULT_ADDR }}
           rust: false
 
       - name: Warm up repository

.github/workflows/bench.yml

@@ -34,6 +34,8 @@ jobs:
     needs: [optimize-ci]
     if: needs.optimize-ci.outputs.skip == 'false'
     runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
     outputs:
       unit: ${{ steps.packages.outputs.unit }}
       integration: ${{ steps.packages.outputs.integration }}
@@ -47,6 +49,7 @@ jobs:
         uses: ./.github/actions/install-tools
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+          vault_address: ${{ secrets.VAULT_ADDR }}
           rust: false
 
       - name: Determine changed packages
@@ -90,6 +93,7 @@ jobs:
         uses: ./.github/actions/install-tools
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+          vault_address: ${{ secrets.VAULT_ADDR }}
 
       - name: Prune repository
         if: github.event_name == 'pull_request'
@@ -129,6 +133,7 @@ jobs:
         uses: ./.github/actions/install-tools
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+          vault_address: ${{ secrets.VAULT_ADDR }}
 
       - name: Prune repository
         uses: ./.github/actions/prune-repository
@@ -209,6 +214,7 @@ jobs:
         uses: ./.github/actions/install-tools
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+          vault_address: ${{ secrets.VAULT_ADDR }}
 
       - name: Prune repository
         if: github.event_name == 'pull_request'
@@ -290,6 +296,7 @@ jobs:
         uses: ./.github/actions/install-tools
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+          vault_address: ${{ secrets.VAULT_ADDR }}
 
       - name: Prune repository
         uses: ./.github/actions/prune-repository

.github/workflows/canary-release.yml

@@ -11,6 +11,7 @@ jobs:
         uses: ./.github/actions/install-tools
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+          vault_address: ${{ secrets.VAULT_ADDR }}
 
       - name: Warm up repository
         uses: ./.github/actions/warm-up-repo

.github/workflows/deploy.yml

@@ -19,6 +19,8 @@ concurrency:
 jobs:
   setup:
     runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
     outputs:
       sourcemaps: ${{ steps.packages.outputs.sourcemaps }}
     steps:
@@ -31,6 +33,7 @@ jobs:
         uses: ./.github/actions/install-tools
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+          vault_address: ${{ secrets.VAULT_ADDR }}
           rust: false
 
       - name: Determine changed packages
@@ -74,6 +77,7 @@ jobs:
         uses: ./.github/actions/install-tools
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+          vault_address: ${{ secrets.VAULT_ADDR }}
 
       - name: Prune repository
         uses: ./.github/actions/prune-repository

.github/workflows/lint.yml

@@ -19,6 +19,8 @@ concurrency:
 jobs:
   setup:
     runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
     outputs:
       packages: ${{ steps.packages.outputs.packages }}
     steps:
@@ -31,6 +33,7 @@ jobs:
         uses: ./.github/actions/install-tools
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+          vault_address: ${{ secrets.VAULT_ADDR }}
           rust: false
 
       - name: Determine changed packages
@@ -45,6 +48,7 @@ jobs:
   package:
     name: Package
     permissions:
+      id-token: write
       contents: read
       security-events: write
     needs: [setup]
@@ -66,6 +70,7 @@ jobs:
         uses: ./.github/actions/install-tools
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+          vault_address: ${{ secrets.VAULT_ADDR }}
 
       - name: Prune repository
         uses: ./.github/actions/prune-repository
@@ -177,6 +182,7 @@ jobs:
   global:
     name: Global
     permissions:
+      id-token: write
       contents: read
       checks: write
       pull-requests: write
@@ -192,6 +198,7 @@ jobs:
         uses: ./.github/actions/install-tools
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+          vault_address: ${{ secrets.VAULT_ADDR }}
 
       - name: Warm up repository
         uses: ./.github/actions/warm-up-repo

.github/workflows/publish-blocks-to-preview.yml

@@ -15,6 +15,8 @@ jobs:
   pick-blocks:
     name: Pick blocks
     runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
     outputs:
       block-dir-names: ${{ steps.list-block-dir-names.outputs.block-dir-names }}
     steps:
@@ -24,6 +26,7 @@ jobs:
         uses: ./.github/actions/install-tools
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+          vault_address: ${{ secrets.VAULT_ADDR }}
 
       - name: Warm up repository
         uses: ./.github/actions/warm-up-repo
@@ -39,6 +42,8 @@ jobs:
   process:
     name: Publish
     runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
     needs:
       - pick-blocks
     strategy:
@@ -53,6 +58,7 @@ jobs:
         uses: ./.github/actions/install-tools
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+          vault_address: ${{ secrets.VAULT_ADDR }}
 
       - name: Warm up repository
         uses: ./.github/actions/warm-up-repo

.github/workflows/release.yml

@@ -10,6 +10,8 @@ jobs:
   release:
     runs-on: ubuntu-latest
     if: github.repository == 'hashintel/hash'
+    permissions:
+      id-token: write
 
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -20,6 +22,7 @@ jobs:
         uses: ./.github/actions/install-tools
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+          vault_address: ${{ secrets.VAULT_ADDR }}
 
       - name: Warm up repository
         uses: ./.github/actions/warm-up-repo

.github/workflows/test.yml

@@ -33,6 +33,8 @@ jobs:
 
   setup:
     runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
     outputs:
       unit-tests: ${{ steps.packages.outputs.unit-tests }}
       integration-tests: ${{ steps.packages.outputs.integration-tests }}
@@ -49,6 +51,7 @@ jobs:
         uses: ./.github/actions/install-tools
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+          vault_address: ${{ secrets.VAULT_ADDR }}
           rust: false
 
       - name: Determine changed packages
@@ -129,6 +132,7 @@ jobs:
         uses: ./.github/actions/install-tools
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+          vault_address: ${{ secrets.VAULT_ADDR }}
 
       - name: Prune repository
         uses: ./.github/actions/prune-repository
@@ -198,6 +202,33 @@ jobs:
         run: |
           turbo run test:miri --filter "${{ matrix.name }}"
 
+      - name: Show sccache logs
+        if: always() && steps.tests.outputs.has-rust == 'true'
+        run: |
+          grep "CannotCache" /tmp/sccache.log | while IFS= read -r line; do
+            # Extract reason - format as "reason1 (reason2)" if comma-separated, otherwise just "reason"
+            if echo "$line" | grep -qE 'CannotCache\([^,]+, [^)]+\):'; then
+              reason=$(echo "$line" | sed -E 's/.*CannotCache\(([^,]+), ([^)]+)\):.*/\1 (\2)/')
+            else
+              reason=$(echo "$line" | sed -E 's/.*CannotCache\(([^)]+)\):.*/\1/')
+            fi
+
+            # Extract crate name if present
+            if echo "$line" | grep -q '"--crate-name"'; then
+              crate=$(echo "$line" | sed -E 's/.*"--crate-name", "([^"]+)".*/\1/')
+            else
+              crate="<no crate name>"
+            fi
+
+            # Extract args
+            args=$(echo "$line" | sed -E 's/.*CannotCache\([^)]+\): (\[.+\])$/\1/')
+
+            echo ""
+            echo "reason: $reason"
+            echo "crate:  $crate"
+            echo "args:   $args"
+          done
+
   build:
     name: Build
     permissions:
@@ -235,6 +266,8 @@ jobs:
       fail-fast: false
     if: needs.setup.outputs.integration-tests != '{"name":[],"include":[]}' && needs.optimize-ci.outputs.skip == 'false'
     runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -246,6 +279,7 @@ jobs:
         uses: ./.github/actions/install-tools
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+          vault_address: ${{ secrets.VAULT_ADDR }}
 
       - name: Prune repository
         uses: ./.github/actions/prune-repository