From 50538d789bea9be2d9bf88a41f9d75ff79b2e251 Mon Sep 17 00:00:00 2001
From: "n8n-cat-bot[bot]" <283985454+n8n-cat-bot[bot]@users.noreply.github.com>
Date: Wed, 27 May 2026 08:37:51 +0000
Subject: [PATCH] ci: Retry and cache Aikido SafeChain binary in setup-nodejs
 (#31185)

Co-authored-by: n8n-cat-bot[bot] <n8n-cat-bot[bot]@users.noreply.github.com>
---
 .github/actions/setup-nodejs/action.yml | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/.github/actions/setup-nodejs/action.yml b/.github/actions/setup-nodejs/action.yml
index a9285fc499f..57b55d3e919 100644
--- a/.github/actions/setup-nodejs/action.yml
+++ b/.github/actions/setup-nodejs/action.yml
@@ -90,6 +90,19 @@ runs:
         mkdir -p "$HOME/.safe-chain"
         cp "${{ github.action_path }}/safe-chain.config.json" "$HOME/.safe-chain/config.json"
 
+    # Cache the SafeChain binary keyed on version + platform. The binary path
+    # is deterministic, so subsequent jobs across the CI fanout (E2E shards,
+    # docker-cluster, unit, lint, typecheck, ...) hit the cache instead of
+    # the GH release CDN. Layered with retry below — cache reduces blast
+    # radius across jobs, retry covers the first-job-per-key case where the
+    # CDN must be hit. Keep the version in sync with the install step below.
+    - name: Restore Aikido SafeChain Binary
+      id: cache-safe-chain
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+      with:
+        path: ~/.safe-chain/bin
+        key: safe-chain-1.5.3-${{ runner.os }}-${{ runner.arch }}
+
     - name: Install Aikido SafeChain
       run: |
         VERSION="1.5.3"
@@ -97,7 +110,12 @@ runs:
         node .github/scripts/retry.mjs --attempts 3 --delay 10 -- \
           curl -fsSL -o install-safe-chain.sh "https://github.com/AikidoSec/safe-chain/releases/download/${VERSION}/install-safe-chain.sh"
         echo "${EXPECTED_SHA256}  install-safe-chain.sh" | sha256sum -c -
-        sh install-safe-chain.sh --ci
+        # Wrap the install in retry too — it internally fetches the
+        # safe-chain binary from the GH release CDN, which has hit
+        # transient 404s. The install script no-ops the binary download
+        # when the cached binary is already present.
+        node .github/scripts/retry.mjs --attempts 3 --delay 10 -- \
+          sh install-safe-chain.sh --ci
         rm install-safe-chain.sh
       shell: bash