Setting `pushAuthorizer: { deny: {} }` unexpectedly disables caching of remote assets

[top-oai]

The main issue is that the pushAuthorizer setting is checked every time we call assetStore.Put, and we call assetStore.Put when the Fetch API is called in order to insert the downloaded resource into the asset store/action cache:

bb-remote-asset/pkg/fetch/caching_fetcher.go

Line 182 in 4a9f8ac

err = cf.assetStore.Put(ctx, assetRef, assetData, digestFunction)

This will fail with a permission denied error if pushAuthorizer, which is unexpected, and I think unnecessary, when using the Fetch API. I think the desired behavior is that pushAuthorizer is only consulted when someone uses the Push API.

I found a workaround which is to set allowUpdatesForInstances: []. Doing so will disable the Push API even if you have pushAuthorizer: { allow: {} }.

See https://buildteamworld.slack.com/archives/CD6HZC750/p1755039629595759 where I posted about this in slack.

Looks like the authorizer functionality was added in #36.