[cache] Upload nix dependencies to cache (#2019)

## Summary

## How was it tested?

Author: mikeland73

.github/workflows/cache-upload.yml

@@ -0,0 +1,63 @@
+name: cache-upload
+# Uploads devbox nix dependencies to cache
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+  merge_group:
+    branches:
+      - main
+  workflow_dispatch:
+  schedule:
+    - cron: '30 8 * * *' # Run nightly at 8:30 UTC
+
+permissions:
+  contents: read
+  pull-requests: read
+
+defaults:
+  run:
+    shell: bash
+
+env:
+  DEVBOX_API_TOKEN: ${{ secrets.DEVBOX_API_TOKEN }}
+  DEVBOX_DEBUG: 1
+
+jobs:
+  upload-cache:
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v4
+
+      # Build devbox from scratch because released devbox has a bug that prevents 
+      # DEVBOX_API_TOKEN use
+      # we can remove this after 0.10.6 is out.
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: ./go.mod
+      - name: Build devbox
+        run: | 
+          go build -o dist/devbox ./cmd/devbox
+          sudo mv ./dist/devbox /usr/local/bin/
+
+      # - name: Install devbox
+      #   uses: jetify-com/devbox-install-action@v0.9.0
+      #   with:
+      #     enable-cache: true
+
+      # We upload twice, once before updating and once after. This shows a simple
+      # method to cache the latest current and latest dependencies.
+      # If we want read access to cache on multi-user nix installs (e.g. macos), 
+      # we need to call devbox cache configure. This is currently not working
+      # as expected on CICD.
+      - name: Upload cache
+        run: |
+          devbox cache upload
+          devbox update
+          devbox cache upload

internal/devbox/cache.go

@@ -32,6 +32,14 @@ func (d *Devbox) UploadProjectToCache(
 	if err != nil {
 		return err
 	}
+
+	// Ensure state is up to date before uploading to cache.
+	// TODO: we may be able to do this more efficiently, not sure everything needs
+	// to be installed.
+	if err = d.ensureStateIsUpToDate(ctx, ensure); err != nil {
+		return err
+	}
+
 	return nix.CopyInstallableToCache(ctx, d.stderr, cacheURI, profilePath, creds.Env())
 }
 

internal/devbox/providers/nixcache/nixcache.go

@@ -7,11 +7,13 @@ import (
 	"time"
 
 	"go.jetpack.io/devbox/internal/build"
+	"go.jetpack.io/devbox/internal/cachehash"
 	"go.jetpack.io/devbox/internal/devbox/providers/identity"
 	"go.jetpack.io/devbox/internal/redact"
 	"go.jetpack.io/devbox/internal/setup"
 	"go.jetpack.io/pkg/api"
 	nixv1alpha1 "go.jetpack.io/pkg/api/gen/priv/nix/v1alpha1"
+	"go.jetpack.io/pkg/auth/session"
 	"go.jetpack.io/pkg/filecache"
 )
 
@@ -80,7 +82,7 @@ func (p *Provider) Credentials(ctx context.Context) (AWSCredentials, error) {
 		return AWSCredentials{}, err
 	}
 	creds, err := cache.GetOrSetWithTime(
-		"credentials-"+token.IDClaims().Subject,
+		"credentials-"+getSubOrAccessTokenHash(token),
 		func() (AWSCredentials, time.Time, error) {
 			token, err := identity.Get().GenSession(ctx)
 			if err != nil {
@@ -116,7 +118,7 @@ func (p *Provider) URI(ctx context.Context) (string, error) {
 	// Landau: I think we can probably remove this cache? This endpoint is very
 	// fast and we only use this for build/upload which are slow.
 	uri, err := cache.GetOrSet(
-		"uri-"+token.IDClaims().Subject,
+		"uri-"+getSubOrAccessTokenHash(token),
 		func() (string, time.Duration, error) {
 			client := api.NewClient(ctx, build.JetpackAPIHost(), token)
 			resp, err := client.GetBinCache(ctx)
@@ -173,3 +175,12 @@ func (a AWSCredentials) Env() []string {
 		"AWS_SESSION_TOKEN=" + a.SessionToken,
 	}
 }
+
+func getSubOrAccessTokenHash(token *session.Token) string {
+	// We need this because the token is missing IDToken when used in CICD.
+	// TODO: Implement AccessToken Parsing so we can extract sub form that.
+	if token.IDClaims() != nil && token.IDClaims().Subject != "" {
+		return token.IDClaims().Subject
+	}
+	return cachehash.Bytes([]byte(token.AccessToken))
+}