[build][bazel] Combine remote setup CI actions (#8893)

When the bazel remote cache was switched from buildbuddy to a self
hosted server in #8342, I asked that the buildbuddy hooks be remain so
that I could still use their caching service for local builds.

The downside of this was that my forks builds aren't leveraging
buildbuddy, so if I'm fiddling with something heavy like a wpimath
robotpy thing, my CI builds never update a cache and never are warm when
I push fixups.


This PR combines the `setup-bazel-remote` and `setup-build-buddy`
actions which set up the bazel remote cache. Rather than having two
different version, the correct one will be choosen in the following
order:
1. Use wpi's server with write access if the `bazel_remote` information
is set (This basically would only happen on main branch in
`wpilibsuite/allwpilib` since secrets aren't accessible from builds
originating in forks)
2. Use buildbuddy if the key it is present (This would work for my fork
builds)
3. Fall back to the readonly version of wpi's server


As seen
[here](https://github.com/bzlmodRio/allwpilib/actions/runs/25777428163/job/75712863120#step:7:28)
the build in my fork will run with buildbuddy, and my PR's build here
should fall back to readonly mode.

.bazelrc

@@ -68,7 +68,6 @@ build:remote_user --config=remote_cache_readonly
 build:remote_user --remote_download_toplevel
 
 common:ci --color=yes
-build:ci --config=remote_cache
 build:ci --remote_download_minimal
 build:ci --progress_report_interval=60 --show_progress_rate_limit=60
 

.github/actions/setup-bazel-cache/action.yml

@@ -0,0 +1,38 @@
+name: 'Setup Bazel Cache'
+description: 'Configures the Bazel remote cache. Prefers WPI bazel-remote (R/W), falls back to BuildBuddy, then readonly WPI cache.'
+
+inputs:
+  bazel_remote_username:
+    description: 'WPI Bazel remote cache username'
+  bazel_remote_password:
+    description: 'WPI Bazel remote cache password'
+  bazel_remote_url:
+    description: 'WPI Bazel remote cache base URL (no credentials or protocol, e.g. gitlib-bazel.wpi.edu)'
+    default: 'gitlib-bazel.wpi.edu'
+  buildbuddy_token:
+    description: 'BuildBuddy API token'
+
+runs:
+  using: "composite"
+  steps:
+    - name: Resolve Bazel cache configuration
+      env:
+        CACHE_USER: ${{ inputs.bazel_remote_username }}
+        CACHE_PASS: ${{ inputs.bazel_remote_password }}
+        REMOTE_URL: ${{ inputs.bazel_remote_url }}
+        BB_TOKEN: ${{ inputs.buildbuddy_token }}
+      shell: bash
+      run: |
+        if [ -n "${CACHE_USER}" ] && [ -n "${CACHE_PASS}" ]; then
+          echo "WPI bazel-remote credentials detected; configuring R/W access"
+          echo "build:remote_cache --remote_cache=grpcs://${CACHE_USER}:${CACHE_PASS}@${REMOTE_URL}" > bazel_auth.rc
+          echo "build:ci --config=remote_cache" >> bazel_auth.rc
+        elif [ -n "${BB_TOKEN}" ]; then
+          echo "BuildBuddy token detected; configuring BuildBuddy cache"
+          echo "build:build_buddy --remote_header=x-buildbuddy-api-key=${BB_TOKEN}" > bazel_auth.rc
+          echo "build:ci --config=build_buddy" >> bazel_auth.rc
+        else
+          echo "No cache credentials detected; falling back to readonly WPI cache"
+          echo "build:ci --config=remote_cache" > bazel_auth.rc
+          echo "build:ci --config=remote_cache_readonly" >> bazel_auth.rc
+        fi

.github/actions/setup-bazel-remote/action.yml

@@ -1,37 +0,0 @@
-name: 'Setup Bazel Remote cache'
-description: 'Sets up bazel-remote cache using basic auth from GitHub secrets'
-
-inputs:
-  username:
-    description: 'Bazel remote cache username'
-  password:
-    description: 'Bazel remote cache password'
-  remote_url:
-    description: 'Bazel remote cache base URL (no credentials or protocol, e.g. gitlib-bazel.wpi.edu)'
-    default: 'gitlib-bazel.wpi.edu'
-
-runs:
-  using: "composite"
-  steps:
-    - name: Setup bazel-remote (skip when no creds)
-      env:
-        CACHE_USER: ${{ inputs.username }}
-        CACHE_PASS: ${{ inputs.password }}
-        REMOTE_URL: ${{ inputs.remote_url }}
-      if: ${{ env.CACHE_USER == '' || env.CACHE_PASS == '' }}
-      shell: bash
-      run: |
-        echo "No bazel-remote credentials detected; leaving caching as previously configured"
-        echo "build:ci --config=remote_cache_readonly" >> bazel_auth.rc
-
-    - name: Setup bazel-remote (with creds)
-      env:
-        CACHE_USER: ${{ inputs.username }}
-        CACHE_PASS: ${{ inputs.password }}
-        REMOTE_URL: ${{ inputs.remote_url }}
-      if: ${{ env.CACHE_USER != '' && env.CACHE_PASS != '' }}
-      shell: bash
-      run: |
-        echo "Bazel-remote credentials detected; configuring bazel_auth.rc"
-        URL_WITH_CREDS="grpcs://${CACHE_USER}:${CACHE_PASS}@${REMOTE_URL}"
-        echo "build:remote_cache --remote_cache=${URL_WITH_CREDS}" >> bazel_auth.rc

.github/actions/setup-build-buddy/action.yml

@@ -1,38 +0,0 @@
-name: 'Setup BuildBuddy acache'
-description: 'Sets up the build buddy cache to be readonly / writing based on the presence of environment variables'
-
-inputs:
-  token:
-    description: 'Build Buddy API token'
-
-runs:
-  using: "composite"
-  steps:
-    # Sets up build buddy when no secret is found for the API key. This is most likely because this is triggered from an action from a fork instead of the main allwpilib repo.
-    - name: Setup without key
-      env:
-        API_KEY: ${{ inputs.token }}
-      if: ${{ env.API_KEY == '' }}
-      shell: bash
-      run: |
-          echo "No API key secret detected, will setup readonly cache"
-          echo "build:ci --config=build_buddy_readonly" > bazel_auth.rc
-
-          # Set up the readonly key only if this build is for a pull request. Push builds happen in the forks repository,
-          # so the user should set their own buildbuddy api keys up there. Only enabling it for PR's should reduce heavy
-          # and more random load on the cache.
-          if [ "${{ github.event_name }}" = "pull_request" ]; then
-            echo "Assuming this is a pull request from a fork. Setting up the readonly api key"
-            echo "build:ci --remote_header=x-buildbuddy-api-key=QIOV65PTW1tVal3AJbe7" >> bazel_auth.rc
-          else
-            echo "Not setting up readonly key for trigger ${{ github.event_name }} since this is not a pull request, it is most likely a forks push. See the buildbuddy setup guide in README-Bazel.md to set up caching on your fork"
-          fi
-
-    - name: Set with key
-      env:
-        API_KEY: ${{ inputs.token }}
-      if: ${{ env.API_KEY != '' }}
-      shell: bash
-      run: |
-          echo "API Key detected!"
-          echo "build:build_buddy --remote_header=x-buildbuddy-api-key=${{ env.API_KEY }}" > bazel_auth.rc

.github/workflows/bazel.yml

@@ -66,11 +66,12 @@ jobs:
       - uses: actions/checkout@v6
         with: { fetch-depth: 0 }
 
-      - id: Setup_bazel_remote
+      - id: Setup_bazel_cache
-        uses: ./.github/actions/setup-bazel-remote
+        uses: ./.github/actions/setup-bazel-cache
         with:
-          username: ${{ secrets.BAZEL_CACHE_USERNAME }}
+          bazel_remote_username: ${{ secrets.BAZEL_CACHE_USERNAME }}
-          password: ${{ secrets.BAZEL_CACHE_PASSWORD }}
+          bazel_remote_password: ${{ secrets.BAZEL_CACHE_PASSWORD }}
+          buildbuddy_token: ${{ secrets.BUILDBUDDY_API_KEY }}
 
       - name: Install apt dependencies
         if: runner.os == 'Linux'
@@ -165,14 +166,15 @@ jobs:
       - uses: actions/checkout@v6
         with: { fetch-depth: 0 }
 
-      - id: Setup_bazel_remote
+      - id: Setup_bazel_cache
-        uses: ./.github/actions/setup-bazel-remote
+        uses: ./.github/actions/setup-bazel-cache
         with:
-          username: ${{ secrets.BAZEL_CACHE_USERNAME }}
+          bazel_remote_username: ${{ secrets.BAZEL_CACHE_USERNAME }}
-          password: ${{ secrets.BAZEL_CACHE_PASSWORD }}
+          bazel_remote_password: ${{ secrets.BAZEL_CACHE_PASSWORD }}
+          buildbuddy_token: ${{ secrets.BUILDBUDDY_API_KEY }}
 
       - name: Run Non-RobotPy pregeneration
-        run: bazel run //:write_pregenerated_files
+        run: bazel run --config=ci //:write_pregenerated_files
 
       - name: Check Output
         run: git --no-pager diff --exit-code HEAD
@@ -194,21 +196,23 @@ jobs:
       - uses: actions/checkout@v6
         with: { fetch-depth: 0 }
 
-      - id: Setup_build_buddy
+      - id: Setup_bazel_cache
-        uses: ./.github/actions/setup-build-buddy
+        uses: ./.github/actions/setup-bazel-cache
         with:
-          token: ${{ secrets.BUILDBUDDY_API_KEY }}
+          bazel_remote_username: ${{ secrets.BAZEL_CACHE_USERNAME }}
+          bazel_remote_password: ${{ secrets.BAZEL_CACHE_PASSWORD }}
+          buildbuddy_token: ${{ secrets.BUILDBUDDY_API_KEY }}
 
       # You should ensure the headers are correct before trying to pregen files
       - name: Test Scan Headers
-        run: bazel test //... -k --test_tag_filters=robotpy_scan_headers --build_tests_only
+        run: bazel test --config=ci //... -k --test_tag_filters=robotpy_scan_headers --build_tests_only
         shell: bash
 
       - name: Run yaml file generation
-        run: bazel run //:write_robotpy_update_yaml_files
+        run: bazel run --config=ci //:write_robotpy_update_yaml_files
 
       - name: Run build file generation
-        run: bazel run //:write_robotpy_generated_pybind_files
+        run: bazel run --config=ci //:write_robotpy_generated_pybind_files
 
       - name: Check Output
         run: git --no-pager diff --exit-code HEAD