feat: replace github actions cache with s3

Replaces actions/cache with custom S3-based caching to avoid upcoming
GitHub Actions cache eviction policy changes.

Changes:
- New S3 cache actions (xahau-ga-cache-restore/save)
- zstd compression (ccache: clang=323/gcc=609 MB, Conan: clang=1.1/gcc=1.9 GB)
- Immutability (first-write-wins)
- Bootstrap mode (creates empty dir if no cache)

Cache clearing tag:
- [ci-ga-clear-cache] - Clear all caches for this job
- [ci-ga-clear-cache:ccache] - Clear only ccache
- [ci-ga-clear-cache:conan] - Clear only conan

Configuration ordering fixes:
- ccache config applied AFTER cache restore (prevents stale cached config)
- Conan profile created AFTER cache restore (prevents stale cached profile)

ccache improvements:
- Single cache directory (~/.ccache)
- Wrapper toolchain (enables ccache without affecting Conan builds)
- Verbose build output (-v flag)
- Fixes #620

Conan improvements:
- Removed branch comparison logic for cache saves
- Cache keys don't include branch names, comparison was ineffective
- Fixes #618

Breaking changes:
- Workflows must pass AWS credentials (aws-access-key-id, aws-secret-access-key)

S3 setup:
- Bucket: xahaud-github-actions-cache-niq (us-east-1)
- Credentials already configured in GitHub secrets

.github/workflows/xahau-ga-macos.yml

@@ -30,6 +30,14 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Get commit message
+        id: get-commit-message
+        uses: ./.github/actions/xahau-ga-get-commit-message
+        with:
+          event-name: ${{ github.event_name }}
+          head-commit-message: ${{ github.event.head_commit.message }}
+          pr-head-sha: ${{ github.event.pull_request.head.sha }}
+
       - name: Install Conan
         run: |
           brew install conan
@@ -78,14 +86,6 @@ jobs:
       - name: Install ccache
         run: brew install ccache
 
-      - name: Configure ccache
-        uses: ./.github/actions/xahau-configure-ccache
-        with:
-          max_size: 2G
-          hash_dir: true
-          compiler_check: content
-          is_main_branch: ${{ github.ref_name == env.MAIN_BRANCH_NAME }}
-
       - name: Check environment
         run: |
           echo "PATH:"
@@ -98,32 +98,12 @@ jobs:
           echo "---- Full Environment ----"
           env
 
-      - name: Configure Conan
+      - name: Detect compiler version
+        id: detect-compiler
         run: |
-          # Create the default profile directory if it doesn't exist
-          mkdir -p ~/.conan2/profiles
-
-          # Detect compiler version
           COMPILER_VERSION=$(clang --version | grep -oE 'version [0-9]+' | grep -oE '[0-9]+')
-
-          # Create profile with our specific settings
-          cat > ~/.conan2/profiles/default <<EOF
-          [settings]
-          arch=armv8
-          build_type=Release
-          compiler=apple-clang
-          compiler.cppstd=20
-          compiler.libcxx=libc++
-          compiler.version=${COMPILER_VERSION}
-          os=Macos
-
-          [conf]
-          # Workaround for gRPC with newer Apple Clang
-          tools.build:cxxflags=["-Wno-missing-template-arg-list-after-template-kw"]
-          EOF
-
-          # Display profile for verification
-          conan profile show
+          echo "compiler_version=${COMPILER_VERSION}" >> $GITHUB_OUTPUT
+          echo "Detected Apple Clang version: ${COMPILER_VERSION}"
 
       - name: Install dependencies
         uses: ./.github/actions/xahau-ga-dependencies
@@ -133,6 +113,13 @@ jobs:
           compiler-id: clang
           cache_version: ${{ env.CACHE_VERSION }}
           main_branch: ${{ env.MAIN_BRANCH_NAME }}
+          os: Macos
+          arch: armv8
+          compiler: apple-clang
+          compiler_version: ${{ steps.detect-compiler.outputs.compiler_version }}
+          stdlib: libcxx
+          aws-access-key-id: ${{ secrets.XAHAUD_GITHUB_ACTIONS_CACHE_NIQ_AWS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.XAHAUD_GITHUB_ACTIONS_CACHE_NIQ_AWS_ACCESS_KEY }}
 
       - name: Build
         uses: ./.github/actions/xahau-ga-build
@@ -143,6 +130,9 @@ jobs:
           compiler-id: clang
           cache_version: ${{ env.CACHE_VERSION }}
           main_branch: ${{ env.MAIN_BRANCH_NAME }}
+          stdlib: libcxx
+          aws-access-key-id: ${{ secrets.XAHAUD_GITHUB_ACTIONS_CACHE_NIQ_AWS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.XAHAUD_GITHUB_ACTIONS_CACHE_NIQ_AWS_ACCESS_KEY }}
 
       - name: Test
         run: |

.github/workflows/xahau-ga-nix.yml

@@ -2,7 +2,7 @@ name: Nix - GA Runner
 
 on:
   push:
-    branches: ["dev", "candidate", "release"]
+    branches: ["dev", "candidate", "release", "nd-experiment-overlayfs-2025-10-29"]
   pull_request:
     branches: ["dev", "candidate", "release"]
   schedule:
@@ -156,12 +156,20 @@ jobs:
     env:
       build_dir: .build
       # Bump this number to invalidate all caches globally.
-      CACHE_VERSION: 2
+      CACHE_VERSION: 3
       MAIN_BRANCH_NAME: dev
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Get commit message
+        id: get-commit-message
+        uses: ./.github/actions/xahau-ga-get-commit-message
+        with:
+          event-name: ${{ github.event_name }}
+          head-commit-message: ${{ github.event.head_commit.message }}
+          pr-head-sha: ${{ github.event.pull_request.head.sha }}
+
       - name: Install build dependencies
         run: |
           sudo apt-get update
@@ -231,48 +239,6 @@ jobs:
           # Install Conan 2
           pip install --upgrade "conan>=2.0,<3"
 
-      - name: Configure ccache
-        uses: ./.github/actions/xahau-configure-ccache
-        with:
-          max_size: 2G
-          hash_dir: true
-          compiler_check: content
-          is_main_branch: ${{ github.ref_name == env.MAIN_BRANCH_NAME }}
-
-      - name: Configure Conan
-        run: |
-          # Create the default profile directory if it doesn't exist
-          mkdir -p ~/.conan2/profiles
-
-          # Determine the correct libcxx based on stdlib parameter
-          if [ "${{ matrix.stdlib }}" = "libcxx" ]; then
-            LIBCXX="libc++"
-          else
-            LIBCXX="libstdc++11"
-          fi
-
-          # Create profile with our specific settings
-          cat > ~/.conan2/profiles/default <<EOF
-          [settings]
-          arch=x86_64
-          build_type=${{ matrix.configuration }}
-          compiler=${{ matrix.compiler }}
-          compiler.cppstd=20
-          compiler.libcxx=${LIBCXX}
-          compiler.version=${{ matrix.compiler_version }}
-          os=Linux
-
-          [buildenv]
-          CC=/usr/bin/${{ matrix.cc }}
-          CXX=/usr/bin/${{ matrix.cxx }}
-
-          [conf]
-          tools.build:compiler_executables={"c": "/usr/bin/${{ matrix.cc }}", "cpp": "/usr/bin/${{ matrix.cxx }}"}
-          EOF
-
-          # Display profile for verification
-          conan profile show
-
       - name: Check environment
         run: |
           echo "PATH:"
@@ -293,7 +259,13 @@ jobs:
           compiler-id: ${{ matrix.compiler_id }}
           cache_version: ${{ env.CACHE_VERSION }}
           main_branch: ${{ env.MAIN_BRANCH_NAME }}
+          compiler: ${{ matrix.compiler }}
+          compiler_version: ${{ matrix.compiler_version }}
+          cc: ${{ matrix.cc }}
+          cxx: ${{ matrix.cxx }}
           stdlib: ${{ matrix.stdlib }}
+          aws-access-key-id: ${{ secrets.XAHAUD_GITHUB_ACTIONS_CACHE_NIQ_AWS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.XAHAUD_GITHUB_ACTIONS_CACHE_NIQ_AWS_ACCESS_KEY }}
 
       - name: Build
         uses: ./.github/actions/xahau-ga-build
@@ -308,6 +280,8 @@ jobs:
           main_branch: ${{ env.MAIN_BRANCH_NAME }}
           stdlib: ${{ matrix.stdlib }}
           clang_gcc_toolchain: ${{ matrix.clang_gcc_toolchain || '' }}
+          aws-access-key-id: ${{ secrets.XAHAUD_GITHUB_ACTIONS_CACHE_NIQ_AWS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.XAHAUD_GITHUB_ACTIONS_CACHE_NIQ_AWS_ACCESS_KEY }}
 
       - name: Set artifact name
         id: set-artifact-name