Initial commit

Author: jdalton

.github/actions/restore-checkpoint/action.yml

@@ -18,20 +18,24 @@ inputs:
   cache-valid:
     description: 'Whether checkpoint cache validation passed (true/false)'
     required: true
+  dry-run:
+    description: 'If true, validate checkpoints without extracting (default: false)'
+    required: false
+    default: 'false'
 
 outputs:
   restored:
     description: 'Whether any checkpoint was restored (true/false)'
-    value: ${{ steps.restore.outputs.restored }}
+    value: ${{ steps.restore.outputs.restored || steps.skip.outputs.restored }}
   checkpoint-restored:
     description: 'Name of the checkpoint that was restored (empty if none)'
-    value: ${{ steps.restore.outputs.checkpoint_restored }}
+    value: ${{ steps.restore.outputs.checkpoint_restored || steps.skip.outputs.checkpoint_restored }}
   checkpoint-index:
     description: 'Index of restored checkpoint (0=newest, higher=older)'
-    value: ${{ steps.restore.outputs.checkpoint_index }}
+    value: ${{ steps.restore.outputs.checkpoint_index || steps.skip.outputs.checkpoint_index }}
   needs-build:
     description: 'Whether build needs to run to complete remaining checkpoints (true/false)'
-    value: ${{ steps.restore.outputs.needs_build }}
+    value: ${{ steps.restore.outputs.needs_build || steps.skip.outputs.needs_build }}
 
 runs:
   using: 'composite'
@@ -49,19 +53,52 @@ runs:
         BUILD_MODE="${{ inputs.build-mode }}"
         CHECKPOINT_CHAIN="${{ inputs.checkpoint-chain }}"
 
+        # Validate inputs to prevent command injection
+        # Use [[ =~ ]] instead of echo|grep to prevent newline injection bypass
+        if ! [[ "${PACKAGE_NAME}" =~ ^[a-zA-Z0-9_-]+$ ]]; then
+          echo "❌ Invalid package name: ${PACKAGE_NAME}"
+          echo "   Package name must contain only alphanumeric characters, hyphens, and underscores"
+          exit 1
+        fi
+
+        if ! [[ "${BUILD_MODE}" =~ ^(prod|dev)$ ]]; then
+          echo "❌ Invalid build mode: ${BUILD_MODE}"
+          echo "   Build mode must be either 'prod' or 'dev'"
+          exit 1
+        fi
+
+        # Validate checkpoint chain has no empty segments
+        if [[ "${CHECKPOINT_CHAIN}" =~ (^,|,,|,$) ]]; then
+          echo "❌ Invalid checkpoint chain: contains empty segments"
+          exit 1
+        fi
+
         MODE_CHECKPOINT_DIR="packages/${PACKAGE_NAME}/build/${BUILD_MODE}/checkpoints"
         SHARED_CHECKPOINT_DIR="packages/${PACKAGE_NAME}/build/shared/checkpoints"
         OUTPUT_DIR="packages/${PACKAGE_NAME}/build/${BUILD_MODE}/out"
+        SHARED_SOURCE_DIR="packages/${PACKAGE_NAME}/build/shared/source"
+        MODE_SOURCE_DIR="packages/${PACKAGE_NAME}/build/${BUILD_MODE}/source"
 
         echo "📦 Package: ${PACKAGE_NAME}"
         echo "🔧 Build mode: ${BUILD_MODE}"
         echo "📁 Mode checkpoint directory: ${MODE_CHECKPOINT_DIR}"
         echo "📁 Shared checkpoint directory: ${SHARED_CHECKPOINT_DIR}"
         echo "📤 Output directory: ${OUTPUT_DIR}"
+        echo "📂 Shared source directory: ${SHARED_SOURCE_DIR}"
+        echo "📂 Mode source directory: ${MODE_SOURCE_DIR}"
         echo ""
 
-        # Parse checkpoint chain into array (comma-separated)
-        IFS=',' read -ra CHECKPOINTS <<< "$CHECKPOINT_CHAIN"
+        # Parse checkpoint chain into array (comma-separated, localize IFS to prevent side effects)
+        # Use trap to ensure IFS is restored even if script exits unexpectedly
+        restore_ifs() {
+          IFS="$OLD_IFS"
+        }
+        OLD_IFS="$IFS"
+        trap restore_ifs EXIT
+        IFS=','
+        read -ra CHECKPOINTS <<< "$CHECKPOINT_CHAIN"
+        IFS="$OLD_IFS"
+        trap - EXIT
 
         echo "🔗 Checkpoint chain (newest → oldest):"
         INDEX=0
@@ -111,18 +148,16 @@ runs:
           echo ""
           echo "✅ Found valid checkpoint: ${CHECKPOINT} (index ${INDEX})"
           break
-
-          INDEX=$((INDEX + 1))
         done
 
         # Check if we found any checkpoint
         if [ -z "${RESTORED_CHECKPOINT}" ]; then
           echo ""
           echo "❌ No valid checkpoints found in chain"
           echo "   Available mode checkpoints:"
-          ls -lh "${MODE_CHECKPOINT_DIR}" 2>/dev/null || echo "   (mode checkpoint directory not found)"
+          find "${MODE_CHECKPOINT_DIR}" -type f -ls 2>/dev/null || echo "   (mode checkpoint directory not found)"
           echo "   Available shared checkpoints:"
-          ls -lh "${SHARED_CHECKPOINT_DIR}" 2>/dev/null || echo "   (shared checkpoint directory not found)"
+          find "${SHARED_CHECKPOINT_DIR}" -type f -ls 2>/dev/null || echo "   (shared checkpoint directory not found)"
           echo ""
           echo "restored=false" >> $GITHUB_OUTPUT
           echo "checkpoint_restored=" >> $GITHUB_OUTPUT
@@ -135,6 +170,24 @@ runs:
         echo "📦 Restoring from checkpoint: ${RESTORED_CHECKPOINT}"
         echo ""
 
+        # Check if this is a dry-run (validation only)
+        if [ "${{ inputs.dry-run }}" = "true" ]; then
+          echo "🔍 DRY-RUN MODE: Validation only, skipping extraction"
+          echo ""
+          echo "✓ Checkpoint validation passed"
+          echo "  Checkpoint: ${RESTORED_CHECKPOINT}"
+          echo "  Index: ${RESTORED_INDEX}"
+          echo "  File: ${CHECKPOINT_FILE}"
+          echo ""
+          echo "ℹ️  In normal mode, this checkpoint would be extracted"
+          echo ""
+          echo "restored=true" >> $GITHUB_OUTPUT
+          echo "checkpoint_restored=${RESTORED_CHECKPOINT}" >> $GITHUB_OUTPUT
+          echo "checkpoint_index=${RESTORED_INDEX}" >> $GITHUB_OUTPUT
+          echo "needs_build=$([ ${RESTORED_INDEX} -eq 0 ] && echo "false" || echo "true")" >> $GITHUB_OUTPUT
+          exit 0
+        fi
+
         # Show tarball contents
         if [ "${RESTORED_CHECKPOINT}" = "source-cloned" ]; then
           CHECKPOINT_FILE="${SHARED_CHECKPOINT_DIR}/${RESTORED_CHECKPOINT}.tar.gz"
@@ -149,13 +202,127 @@ runs:
         fi
         echo ""
 
-        # Extract checkpoint
-        echo "📦 Extracting checkpoint to ${OUTPUT_DIR}..."
-        mkdir -p "${OUTPUT_DIR}"
-        tar -xzf "${CHECKPOINT_FILE}" -C "${OUTPUT_DIR}"
+        # Extract checkpoint to correct directory based on checkpoint name
+        # Checkpoint structure varies by package:
+        #
+        # node-smol-builder:
+        # - finalized → build/{mode}/out/Final/
+        # - binary-compressed → build/{mode}/out/Compressed/
+        # - binary-stripped → build/{mode}/out/Stripped/
+        # - binary-released → build/{mode}/out/Release/
+        # - source-cloned → build/shared/source/
+        # - source-patched → build/{mode}/source/
+        #
+        # onnxruntime-builder, yoga-layout-builder:
+        # - finalized → build/{mode}/out/Final/
+        # - wasm-synced → build/{mode}/out/Synced/
+        # - wasm-released → build/{mode}/out/Released/
+        # - wasm-optimized → build/{mode}/out/Optimized/
+        # - wasm-compiled → build/{mode}/out/Compiled/
+        # - source-configured → build/{mode}/source/ (yoga-layout only)
+        # - source-cloned → build/shared/source/
+        #
+        # models:
+        # - finalized → build/{mode}/out/Final/
+        # - quantized → build/{mode}/models/
+        # - converted → build/{mode}/models/
+        # - downloaded → build/{mode}/models/
+        EXTRACT_DIR="${OUTPUT_DIR}"
+        case "${RESTORED_CHECKPOINT}" in
+          finalized)
+            EXTRACT_DIR="${OUTPUT_DIR}/Final"
+            ;;
+          # node-smol-builder checkpoints
+          binary-compressed)
+            EXTRACT_DIR="${OUTPUT_DIR}/Compressed"
+            ;;
+          binary-stripped)
+            EXTRACT_DIR="${OUTPUT_DIR}/Stripped"
+            ;;
+          binary-released)
+            EXTRACT_DIR="${OUTPUT_DIR}/Release"
+            ;;
+          # onnxruntime-builder, yoga-layout-builder checkpoints
+          wasm-synced)
+            EXTRACT_DIR="${OUTPUT_DIR}/Synced"
+            ;;
+          wasm-released)
+            EXTRACT_DIR="${OUTPUT_DIR}/Released"
+            ;;
+          wasm-optimized)
+            EXTRACT_DIR="${OUTPUT_DIR}/Optimized"
+            ;;
+          wasm-compiled)
+            EXTRACT_DIR="${OUTPUT_DIR}/Compiled"
+            ;;
+          source-configured)
+            # yoga-layout-builder specific: extract to mode source directory
+            EXTRACT_DIR="${MODE_SOURCE_DIR}"
+            ;;
+          # models checkpoints
+          quantized|converted|downloaded)
+            # Models checkpoints extract to build/{mode}/models/
+            EXTRACT_DIR="packages/${PACKAGE_NAME}/build/${BUILD_MODE}/models"
+            ;;
+          # Source checkpoints (shared across packages)
+          source-cloned)
+            # Shared checkpoint: extract to shared source directory
+            EXTRACT_DIR="${SHARED_SOURCE_DIR}"
+            ;;
+          source-patched)
+            # Mode-specific checkpoint: extract to mode source directory
+            EXTRACT_DIR="${MODE_SOURCE_DIR}"
+            ;;
+        esac
+
+        echo "📦 Extracting checkpoint to ${EXTRACT_DIR}..."
+        mkdir -p "${EXTRACT_DIR}"
+
+        # Validate tarball size before extraction (protect against zip bombs)
+        COMPRESSED_SIZE=$(stat -c%s "${CHECKPOINT_FILE}" 2>/dev/null || stat -f%z "${CHECKPOINT_FILE}")
+        MAX_COMPRESSED=$((10 * 1024 * 1024 * 1024))  # 10GB compressed limit
+
+        if [ "${COMPRESSED_SIZE}" -gt "${MAX_COMPRESSED}" ]; then
+          echo "❌ Checkpoint tarball too large: ${COMPRESSED_SIZE} bytes (max: ${MAX_COMPRESSED})"
+          echo "   This may indicate a corrupted or malicious tarball"
+          exit 1
+        fi
+
+        echo "   Tarball size: $((COMPRESSED_SIZE / 1024 / 1024))MB"
+
+        # Extract tarball, stripping the top-level directory wrapper
+        # --strip-components=1: remove first directory level from paths
+        # Example: tarball contains Final/ort.wasm → extracts to out/Final/ort.wasm
+        # All checkpoints create directory archives for consistency
+        if ! tar -xzf "${CHECKPOINT_FILE}" -C "${EXTRACT_DIR}" --strip-components=1; then
+          echo "❌ Failed to extract checkpoint: ${CHECKPOINT_FILE}"
+          echo "   This may indicate disk space issues, permissions problems, or tarball corruption"
+          exit 1
+        fi
+
+        # Verify extraction produced files
+        if [ -z "$(ls -A "${EXTRACT_DIR}" 2>/dev/null)" ]; then
+          echo "❌ Extraction produced no files in ${EXTRACT_DIR}"
+          echo "   Tarball may be empty or extraction path may be incorrect"
+          exit 1
+        fi
+
         echo "✅ Checkpoint extracted successfully"
         echo ""
 
+        # Verify checkpoint metadata JSON exists (needed for shouldRun() detection)
+        # The JSON file lives alongside the tarball and is restored by the cache action
+        CHECKPOINT_JSON="${CHECKPOINT_FILE%.tar.gz}.json"
+        if [ -f "${CHECKPOINT_JSON}" ]; then
+          echo "📝 Checkpoint metadata verified"
+          echo "   ✓ ${CHECKPOINT_JSON}"
+          echo "   Build scripts will detect this checkpoint via shouldRun()"
+        else
+          echo "⚠️  Warning: Checkpoint metadata missing: ${CHECKPOINT_JSON}"
+          echo "   Build may not skip completed phases properly"
+        fi
+        echo ""
+
         # Determine if build needs to run
         NEEDS_BUILD="false"
         if [ ${RESTORED_INDEX} -gt 0 ]; then
@@ -196,6 +363,7 @@ runs:
         echo "needs_build=${NEEDS_BUILD}" >> $GITHUB_OUTPUT
 
     - name: Skip restoration (build will run from scratch)
+      id: skip
       if: inputs.cache-hit != 'true' || inputs.cache-valid != 'true'
       shell: bash
       run: |