• Add Github Cache workflow to pre-generate Bazel repository cache for macOS and Windows
• Enable cache-save in gh-cache workflow with targeted build targets
• Add cancel-on-failure guard to prevent poisoned cache saves in bazel.yml
• Update workflow triggers to run on dependency file changes or daily schedule
• Grant actions write permission for workflow cancellation capability

Add cancel-on-failure guard for cache poisoning

• Remove cache-version: 2 configuration line
• Add cancel-on-failure step that cancels workflow run if bazel fails and cache-save is enabled
• Step uses GitHub CLI to cancel run and requires actions write permission

.github/workflows/bazel.yml

Grant actions write permission for cancellation

• Add actions: write permission to allow workflow cancellation capability

.github/workflows/ci-rbe.yml

Enable Github Cache workflow with scheduled triggers

• Rename workflow from "CI Cache" to "Github Cache"
• Add push trigger on trunk with paths filter for dependency files (MODULE.bazel, Cargo.lock,
 maven_install.json, etc.)
• Add daily schedule trigger at 6:30 AM UTC
• Change concurrency group from ci-cache to gh-cache
• Add actions: write permission for workflow operations
• Enable cache-save: true to persist generated cache
• Update build targets to test-only paths (//java/test/..., //py:*, //rb/spec/..., etc.)
• Disable repo_contents_cache extraction to reduce cache size

.github/workflows/gh-cache.yml

Description

The gh-cache workflow’s push path filter omits pnpm-lock.yaml and multitool.lock.json, so updates to
these Bazel dependency inputs won’t trigger cache population for macOS/Windows. Because MODULE.bazel
uses these files to generate external repositories, CI may still need to download new artifacts (and
hit the same transient 502/cert failures) until the next scheduled run.

Code

.github/workflows/gh-cache.yml[R4-15]

Evidence

The workflow only triggers on the listed paths, but MODULE.bazel explicitly uses pnpm-lock.yaml and
multitool.lock.json as inputs to external dependency generation; excluding them prevents cache
repopulation when those dependency definitions change.

.github/workflows/gh-cache.yml[4-15]
MODULE.bazel[63-103]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`.github/workflows/gh-cache.yml` uses a `push.paths` filter to decide when to repopulate the GitHub cache, but it does not include key dependency inputs (`pnpm-lock.yaml`, `multitool.lock.json`) that are used by Bazel to generate external repositories. This means macOS/Windows cache population will not run when those files change, leaving caches stale.

### Issue Context
`MODULE.bazel` references both `//:multitool.lock.json` (rules_multitool hub) and `//:pnpm-lock.yaml` (npm_translate_lock). These files directly affect what external assets Bazel will download.

### Fix Focus Areas
- .github/workflows/gh-cache.yml[4-15]

### Proposed fix
Add the missing files to the `on.push.paths` list (at minimum `pnpm-lock.yaml` and `multitool.lock.json`). Consider also including other npm-related inputs referenced by `npm_translate_lock` (e.g. `package.json`, `pnpm-workspace.yaml`, `.npmrc`, and relevant `javascript/**/package.json`) if you want cache population to run immediately when those change.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Description

The reusable .github/workflows/bazel.yml cancels the entire workflow run when Bazel fails (`gh run
cancel ${{ github.run_id }}) if inputs.cache-save` is true, which can turn real failures into an
overall “cancelled” conclusion and disrupt failure-based CI signaling/branch protections. In matrix
callers like gh-cache (macOS/Windows with fail-fast: false), a single OS failure can also cancel
the sibling job, preventing it from completing and saving its cache despite the intended independent
cache population.

Code

.github/workflows/bazel.yml[R299-304]

Evidence

The reusable workflow .github/workflows/bazel.yml contains logic that invokes gh run cancel with
github.run_id when the Bazel step fails while cache-save is enabled, which necessarily cancels
the entire workflow run rather than only the failing job. Separately,
.github/workflows/gh-cache.yml runs a macOS/Windows matrix with fail-fast: false and enables
cache-save: true for each leg, making that cancellation path reachable in either OS job; as a
result, a Bazel failure in one leg can terminate the whole run and thereby stop the other matrix job
from completing and saving its cache.

.github/workflows/bazel.yml[299-304]
.github/workflows/gh-cache.yml[27-42]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
A Bazel failure currently triggers `gh run cancel ${{ github.run_id }}` in the reusable Bazel workflow when `inputs.cache-save` is enabled, which cancels the entire workflow run. This can mask genuine build failures as cancellations, disrupt failure-based CI signaling/branch protections, and in matrix callers (e.g., gh-cache with `fail-fast: false`) it can also cancel sibling OS jobs and prevent them from completing and saving their caches.

## Issue Context
The run-cancellation step lives in the reusable workflow, so it impacts every workflow that calls it with `cache-save: true`. In `gh-cache.yml`, each macOS/Windows matrix leg sets `cache-save: true`, so a failure in one OS leg can trigger run-wide cancellation and terminate the other leg even though `fail-fast: false` is intended to allow them to proceed independently.

## Fix Focus Areas
- .github/workflows/bazel.yml[299-304]
- .github/workflows/gh-cache.yml[27-42]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

🐞 Bugs (1) 📘 Rule violations (0) 📎 Requirement gaps (0)