feat: add workflow to sync secrets to sibling repositories

Adds a manually-triggered workflow that copies secrets from
unity-builder (repo + org level) to target repos like orchestrator
and cli. Uses GIT_PRIVATE_TOKEN for cross-repo API access.

Secrets synced: UNITY_EMAIL, UNITY_PASSWORD, UNITY_SERIAL,
GIT_PRIVATE_TOKEN, LOCALSTACK_AUTH_TOKEN, GOOGLE_SERVICE_ACCOUNT_EMAIL,
GOOGLE_SERVICE_ACCOUNT_KEY, CODECOV_TOKEN.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.github/workflows/build-tests-windows.yml

@@ -39,7 +39,7 @@ jobs:
           - unityVersion: 6000.0.36f1
             targetPlatform: StandaloneWindows64
             buildProfile: 'Assets/Settings/Build Profiles/Sample Windows Build Profile.asset'
-  
+
     steps:
       ###########################
       #         Checkout        #
@@ -66,6 +66,34 @@ jobs:
         run: |
           Move-Item -Path "./test-project/ProjectSettings/ProjectSettingsIl2cpp.asset" -Destination "./test-project/ProjectSettings/ProjectSettings.asset" -Force
 
+      ###########################
+      #    Docker Readiness     #
+      ###########################
+      - name: Ensure Docker daemon is ready
+        timeout-minutes: 2
+        shell: powershell
+        run: |
+          $maxRetries = 10
+          $retryDelay = 6
+          for ($i = 0; $i -lt $maxRetries; $i++) {
+            $svc = Get-Service docker -ErrorAction SilentlyContinue
+            if ($svc -and $svc.Status -eq 'Running') {
+              docker version 2>$null
+              if ($LASTEXITCODE -eq 0) {
+                Write-Host "Docker is ready."
+                exit 0
+              }
+            }
+            if ($svc -and $svc.Status -eq 'Stopped') {
+              Write-Host "Docker service stopped, attempting to start..."
+              Start-Service docker -ErrorAction SilentlyContinue
+            }
+            Write-Host "Waiting for Docker daemon (attempt $($i+1)/$maxRetries)..."
+            Start-Sleep -Seconds $retryDelay
+          }
+          Write-Error "Docker daemon did not start within $($maxRetries * $retryDelay) seconds"
+          exit 1
+
       ###########################
       #          Build          #
       ###########################
@@ -146,6 +174,8 @@ jobs:
       ###########################
       - uses: actions/upload-artifact@v4
         with:
-          name: Build ${{ matrix.targetPlatform }} on Windows (${{ matrix.unityVersion }})${{ matrix.enableGpu && ' With GPU' || '' }}${{ matrix.buildProfile && '  With Build Profile' || '' }}
+          name:
+            Build ${{ matrix.targetPlatform }} on Windows (${{ matrix.unityVersion }})${{ matrix.enableGpu && ' With
+            GPU' || '' }}${{ matrix.buildProfile && '  With Build Profile' || '' }}
           path: build
           retention-days: 14

.github/workflows/sync-secrets.yml

@@ -0,0 +1,81 @@
+name: Sync Secrets to Repositories
+
+on:
+  workflow_dispatch:
+    inputs:
+      target_repo:
+        description: 'Target repository (org/repo format)'
+        required: true
+        default: 'game-ci/orchestrator'
+        type: choice
+        options:
+          - game-ci/orchestrator
+          - game-ci/cli
+      dry_run:
+        description: 'Dry run (list secrets to sync without writing)'
+        required: false
+        default: false
+        type: boolean
+
+jobs:
+  sync-secrets:
+    name: Sync secrets to ${{ inputs.target_repo }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Sync secrets
+        env:
+          GH_TOKEN: ${{ secrets.GIT_PRIVATE_TOKEN }}
+          TARGET_REPO: ${{ inputs.target_repo }}
+          DRY_RUN: ${{ inputs.dry_run }}
+          # Secrets to sync — values come from repo + org secrets available here
+          SECRET_UNITY_EMAIL: ${{ secrets.UNITY_EMAIL }}
+          SECRET_UNITY_PASSWORD: ${{ secrets.UNITY_PASSWORD }}
+          SECRET_UNITY_SERIAL: ${{ secrets.UNITY_SERIAL }}
+          SECRET_GIT_PRIVATE_TOKEN: ${{ secrets.GIT_PRIVATE_TOKEN }}
+          SECRET_LOCALSTACK_AUTH_TOKEN: ${{ secrets.LOCALSTACK_AUTH_TOKEN }}
+          SECRET_GOOGLE_SERVICE_ACCOUNT_EMAIL: ${{ secrets.GOOGLE_SERVICE_ACCOUNT_EMAIL }}
+          SECRET_GOOGLE_SERVICE_ACCOUNT_KEY: ${{ secrets.GOOGLE_SERVICE_ACCOUNT_KEY }}
+          SECRET_CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        run: |
+          SECRETS=(
+            "UNITY_EMAIL:SECRET_UNITY_EMAIL"
+            "UNITY_PASSWORD:SECRET_UNITY_PASSWORD"
+            "UNITY_SERIAL:SECRET_UNITY_SERIAL"
+            "GIT_PRIVATE_TOKEN:SECRET_GIT_PRIVATE_TOKEN"
+            "LOCALSTACK_AUTH_TOKEN:SECRET_LOCALSTACK_AUTH_TOKEN"
+            "GOOGLE_SERVICE_ACCOUNT_EMAIL:SECRET_GOOGLE_SERVICE_ACCOUNT_EMAIL"
+            "GOOGLE_SERVICE_ACCOUNT_KEY:SECRET_GOOGLE_SERVICE_ACCOUNT_KEY"
+            "CODECOV_TOKEN:SECRET_CODECOV_TOKEN"
+          )
+
+          synced=0
+          skipped=0
+
+          for entry in "${SECRETS[@]}"; do
+            name="${entry%%:*}"
+            env_var="${entry##*:}"
+            value="${!env_var}"
+
+            if [ -z "$value" ]; then
+              echo "⏭ SKIP: $name (not available in this repo's context)"
+              skipped=$((skipped + 1))
+              continue
+            fi
+
+            if [ "$DRY_RUN" = "true" ]; then
+              echo "🔍 DRY RUN: would sync $name → $TARGET_REPO"
+            else
+              echo "$value" | gh secret set "$name" -R "$TARGET_REPO" --body -
+              echo "✅ SYNCED: $name → $TARGET_REPO"
+            fi
+            synced=$((synced + 1))
+          done
+
+          echo ""
+          echo "=== Summary ==="
+          echo "Synced: $synced"
+          echo "Skipped (not available): $skipped"
+          echo "Target: $TARGET_REPO"
+          if [ "$DRY_RUN" = "true" ]; then
+            echo "Mode: DRY RUN (no secrets were written)"
+          fi

dist/index.js

@@ -9419,10 +9419,6 @@ class ContainerHookService {
       fi
       ENDPOINT_ARGS=""
       if [ -n "$AWS_S3_ENDPOINT" ]; then ENDPOINT_ARGS="--endpoint-url $AWS_S3_ENDPOINT"; fi
-      # Skip uploading empty or near-empty tar files (< 1KB) — these are leftover
-      # stubs with no real cache data and would poison the cache for the next build.
-      find /data/cache/$CACHE_KEY/lfs -name "*.tar*" -size -1k -delete 2>/dev/null || true
-      find /data/cache/$CACHE_KEY/Library -name "*.tar*" -size -1k -delete 2>/dev/null || true
       aws $ENDPOINT_ARGS s3 cp --recursive /data/cache/$CACHE_KEY/lfs s3://${orchestrator_1.default.buildParameters.awsStackName}/orchestrator-cache/$CACHE_KEY/lfs || true
       rm -r /data/cache/$CACHE_KEY/lfs || true
       aws $ENDPOINT_ARGS s3 cp --recursive /data/cache/$CACHE_KEY/Library s3://${orchestrator_1.default.buildParameters.awsStackName}/orchestrator-cache/$CACHE_KEY/Library || true
@@ -9916,14 +9912,13 @@ echo "CACHE_KEY=$CACHE_KEY"`;
     if ! command -v yarn > /dev/null 2>&1; then printf '#!/bin/sh\nexit 0\n' > /usr/local/bin/yarn && chmod +x /usr/local/bin/yarn; fi
     # Pipe entrypoint.sh output through log stream to capture Unity build output (including "Build succeeded")
     { echo "game ci start"; echo "game ci start" >> /home/job-log.txt; echo "CACHE_KEY=$CACHE_KEY"; echo "$CACHE_KEY"; if [ -n "$LOCKED_WORKSPACE" ]; then echo "Retained Workspace: true"; fi; if [ -n "$LOCKED_WORKSPACE" ] && [ -d "$GITHUB_WORKSPACE/.git" ]; then echo "Retained Workspace Already Exists!"; fi; /entrypoint.sh; } | node ${builderPath} -m remote-cli-log-stream --logFile /home/job-log.txt
-    # Ensure cache directories exist for post-build and S3 upload hooks.
-    # Do NOT create empty placeholder tars — they waste S3 storage and on next
-    # build the pull-cache hook downloads them, giving Unity an empty Library
-    # (no caching benefit). The real tars are created by remote-cli-post-build
-    # via Caching.PushToCache(), and the S3 upload hooks use || true so missing
-    # files are handled gracefully.
     mkdir -p "/data/cache/$CACHE_KEY/Library"
-    mkdir -p "/data/cache/$CACHE_KEY/build"
+    if [ ! -f "/data/cache/$CACHE_KEY/Library/lib-$BUILD_GUID.tar" ] && [ ! -f "/data/cache/$CACHE_KEY/Library/lib-$BUILD_GUID.tar.lz4" ]; then
+      tar -cf "/data/cache/$CACHE_KEY/Library/lib-$BUILD_GUID.tar" --files-from /dev/null || touch "/data/cache/$CACHE_KEY/Library/lib-$BUILD_GUID.tar"
+    fi
+    if [ ! -f "/data/cache/$CACHE_KEY/build/build-$BUILD_GUID.tar" ] && [ ! -f "/data/cache/$CACHE_KEY/build/build-$BUILD_GUID.tar.lz4" ]; then
+      tar -cf "/data/cache/$CACHE_KEY/build/build-$BUILD_GUID.tar" --files-from /dev/null || touch "/data/cache/$CACHE_KEY/build/build-$BUILD_GUID.tar"
+    fi
     # Run post-build tasks and capture output
     # Note: Post-build may clean up the builder directory, so we write output directly to log file
     # Use set +e to allow the command to fail without exiting the script

src/model/orchestrator/services/hooks/container-hook-service.ts

@@ -155,10 +155,6 @@ export class ContainerHookService {
       fi
       ENDPOINT_ARGS=""
       if [ -n "$AWS_S3_ENDPOINT" ]; then ENDPOINT_ARGS="--endpoint-url $AWS_S3_ENDPOINT"; fi
-      # Skip uploading empty or near-empty tar files (< 1KB) — these are leftover
-      # stubs with no real cache data and would poison the cache for the next build.
-      find /data/cache/$CACHE_KEY/lfs -name "*.tar*" -size -1k -delete 2>/dev/null || true
-      find /data/cache/$CACHE_KEY/Library -name "*.tar*" -size -1k -delete 2>/dev/null || true
       aws $ENDPOINT_ARGS s3 cp --recursive /data/cache/$CACHE_KEY/lfs s3://${
         Orchestrator.buildParameters.awsStackName
       }/orchestrator-cache/$CACHE_KEY/lfs || true

src/model/orchestrator/workflows/build-automation-workflow.ts

@@ -170,14 +170,13 @@ echo "CACHE_KEY=$CACHE_KEY"`;
     if ! command -v yarn > /dev/null 2>&1; then printf '#!/bin/sh\nexit 0\n' > /usr/local/bin/yarn && chmod +x /usr/local/bin/yarn; fi
     # Pipe entrypoint.sh output through log stream to capture Unity build output (including "Build succeeded")
     { echo "game ci start"; echo "game ci start" >> /home/job-log.txt; echo "CACHE_KEY=$CACHE_KEY"; echo "$CACHE_KEY"; if [ -n "$LOCKED_WORKSPACE" ]; then echo "Retained Workspace: true"; fi; if [ -n "$LOCKED_WORKSPACE" ] && [ -d "$GITHUB_WORKSPACE/.git" ]; then echo "Retained Workspace Already Exists!"; fi; /entrypoint.sh; } | node ${builderPath} -m remote-cli-log-stream --logFile /home/job-log.txt
-    # Ensure cache directories exist for post-build and S3 upload hooks.
-    # Do NOT create empty placeholder tars — they waste S3 storage and on next
-    # build the pull-cache hook downloads them, giving Unity an empty Library
-    # (no caching benefit). The real tars are created by remote-cli-post-build
-    # via Caching.PushToCache(), and the S3 upload hooks use || true so missing
-    # files are handled gracefully.
     mkdir -p "/data/cache/$CACHE_KEY/Library"
-    mkdir -p "/data/cache/$CACHE_KEY/build"
+    if [ ! -f "/data/cache/$CACHE_KEY/Library/lib-$BUILD_GUID.tar" ] && [ ! -f "/data/cache/$CACHE_KEY/Library/lib-$BUILD_GUID.tar.lz4" ]; then
+      tar -cf "/data/cache/$CACHE_KEY/Library/lib-$BUILD_GUID.tar" --files-from /dev/null || touch "/data/cache/$CACHE_KEY/Library/lib-$BUILD_GUID.tar"
+    fi
+    if [ ! -f "/data/cache/$CACHE_KEY/build/build-$BUILD_GUID.tar" ] && [ ! -f "/data/cache/$CACHE_KEY/build/build-$BUILD_GUID.tar.lz4" ]; then
+      tar -cf "/data/cache/$CACHE_KEY/build/build-$BUILD_GUID.tar" --files-from /dev/null || touch "/data/cache/$CACHE_KEY/build/build-$BUILD_GUID.tar"
+    fi
     # Run post-build tasks and capture output
     # Note: Post-build may clean up the builder directory, so we write output directly to log file
     # Use set +e to allow the command to fail without exiting the script