Expand description
Remote cache backend for GHA runners via opendal.
When KTSTR_GHA_CACHE=1 and ACTIONS_CACHE_URL are set, cache
operations transparently extend to a remote GHA cache. Local cache
is always authoritative: lookups check local first, stores write to
both. Remote failures are non-fatal (logged as warnings).
Cache entries are serialized as tar archives containing the kernel image, vmlinux (if present), and metadata.json, stored as a single blob per cache key in the GHA cache service.
Tar payloads are zstd-compressed before upload and decompressed on
download. Decompression is bounded by
MAX_DECOMPRESSED_REMOTE_CACHE_BYTES to guard against a hostile
zstd payload (zstd compresses pathologically well on repeated
bytes, so a few-KiB blob can decompress to gigabytes). A blob that
does not start with the zstd magic number is rejected.
Constants§
- MAX_
DECOMPRESSED_ REMOTE_ CACHE_ BYTES - Decompressed-size ceiling for
decompress_payloadzstd payloads. Bounds the allocation a malicious or corrupted zstd payload from the GHA cache service can force, since zstd compresses pathologically well on repeated bytes (a few-KiB compressed blob can decompress to gigabytes). 1 GiB covers any realistic cache entry — bzImage is ~15 MiB, stripped vmlinux ~45 MiB, an unstripped debug vmlinux with BTF can reach ~500 MiB — while bounding worst-case allocation against hostile zstd payloads. Public so a downstream consumer can size buffers against the same ceiling without hardcoding the value.
Functions§
- is_
enabled - Check if remote GHA cache is enabled.
- remote_
lookup - Look up a cache key in the remote GHA cache.
- remote_
store - Store a cache entry in the remote GHA cache.