From 5a40382354890e743e0e4f0f51cb48c9c7c26fc8 Mon Sep 17 00:00:00 2001
From: Ralf Anton Beier <ralf_beier@me.com>
Date: Wed, 24 Jun 2026 14:22:12 +0200
Subject: [PATCH] ci: pin rivet-cli to v0.19.0 + version-key its cache
 (protects the release cadence, #242)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Unpinned `rivet --branch main` in the Rivet Validation job has now red-failed a
release TWICE — both times on unchanged artifacts:
  - #229: rivet 0.15.0 promoted a status-enum check WARN→ERROR (schema drift).
  - v0.14.0: rivet 0.19.0's HiGHS C++ dependency filled a self-hosted runner's
    disk on a full rebuild (No space left on device). The rebuild was triggered
    because the bin cache was keyed on Cargo.lock, which a release version bump
    invalidates.

Two fixes, both frozen-safe (CI-only; zero codegen change → frozen fixtures
bit-identical by construction):

1. PIN the install to release tag v0.19.0 (validated clean on this repo's
   artifacts: non-xref ERROR 0, coverage exit 0). Schema/behaviour bumps become
   deliberate, not surprise gate-rednenings.
2. KEY the rivet-cli binary cache on the pinned version (not Cargo.lock), cache
   only `~/.cargo/bin/rivet`, and skip the build when that exact version is
   already present. A release's Cargo.lock change no longer forces the HiGHS
   rebuild that filled the disk.

Self-healing on persistent self-hosted runners: a stale binary fails the
version grep → `cargo install --force --tag v0.19.0` pins it back.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 30 +++++++++++++++++++-----------
 1 file changed, 19 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e5e7041..8a524c4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -171,19 +171,27 @@ jobs:
     steps:
       - uses: actions/checkout@v7
       - uses: dtolnay/rust-toolchain@stable
-      - name: Cache Cargo dependencies
+      # Cache the rivet-cli BINARY keyed on its pinned version, NOT on Cargo.lock.
+      # The old key (hashFiles Cargo.lock) invalidated on every release version
+      # bump, forcing a full rebuild of rivet-cli's HiGHS C++ dependency — which
+      # filled a self-hosted runner's disk and red-failed the v0.14.0 release
+      # (No space left on device). Version-keying means a Cargo.lock change no
+      # longer triggers the rebuild; the cached binary is reused.
+      - name: Cache rivet-cli binary
         uses: actions/cache@v5
         with:
-          path: |
-            ~/.cargo/registry
-            ~/.cargo/git
-            ~/.cargo/bin
-            target/
-          key: ${{ runner.os }}-rivet-${{ hashFiles('**/Cargo.lock') }}
-          restore-keys: |
-            ${{ runner.os }}-rivet-
-      - name: Install rivet
-        run: cargo install --force --git https://github.com/pulseengine/rivet --branch main rivet-cli
+          path: ~/.cargo/bin/rivet
+          key: ${{ runner.os }}-rivet-cli-v0.19.0
+      # PIN rivet to a release tag (was `--branch main`, unpinned). Unpinned, an
+      # upstream schema/behaviour bump silently reddened the gate on unchanged
+      # artifacts (rivet 0.15.0 promoted a WARN→ERROR, #229). v0.19.0 is validated
+      # clean on this repo's artifacts (non-xref ERROR 0, coverage exit 0). Skip
+      # the (expensive) build entirely on a cache hit.
+      - name: Install rivet (pinned v0.19.0)
+        run: |
+          if ! rivet --version 2>/dev/null | grep -q "0.19.0"; then
+            cargo install --force --git https://github.com/pulseengine/rivet --tag v0.19.0 rivet-cli
+          fi
       - name: Validate artifacts
         run: |
           sed -i '/^externals:/,$d' rivet.yaml