@invarn/cibuild 1.5.4 → 1.5.6

package/dist/src/shared/prompts.d.ts

@@ -1,11 +1,15 @@
 import type { YAMLPipeline } from "../yaml/types.js";
 import type { CIConfig } from "../types.js";
 /**
- * True only when stdin AND stdout are real TTYs. Sandboxed runs
- * (Tart guest via `tart exec`, CI pipelines, redirected shells) all
- * fail this check and therefore must never reach an interactive
- * prompt — hanging on an unanswerable question turns a clear error
- * into a silent timeout.
+ * True only when stdin AND stdout are real TTYs AND the caller has not
+ * explicitly opted out of interactivity.
+ *
+ * `process.stdin.isTTY` is unreliable as a sole signal: Tart guest
+ * sessions opened via `tart exec` attach a pseudo-TTY, so the check
+ * passes and the prompt runs — only for nobody to ever answer it. The
+ * runner sets `CIBUILD_NON_INTERACTIVE=1` (and the generic `CI=1` env
+ * is also honored) to make the override unambiguous regardless of
+ * whether the shell looks interactive.
  */
 export declare function isInteractiveTTY(): boolean;
 /**

package/dist/src/shared/prompts.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"prompts.d.ts","sourceRoot":"","sources":["../../../src/shared/prompts.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAE5C;;;;;;GAMG;AACH,wBAAgB,gBAAgB,IAAI,OAAO,CAE1C;AAED;;;;GAIG;AACH,wBAAsB,iBAAiB,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CA0BxF;AAED;;;;;;;GAOG;AACH,wBAAsB,yBAAyB,CAC7C,YAAY,EAAE,YAAY,EAC1B,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,QAAQ,EAChB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,OAAO,CAAC,CAwFlB"}
+{"version":3,"file":"prompts.d.ts","sourceRoot":"","sources":["../../../src/shared/prompts.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAE5C;;;;;;;;;;GAUG;AACH,wBAAgB,gBAAgB,IAAI,OAAO,CAU1C;AAED;;;;GAIG;AACH,wBAAsB,iBAAiB,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CA0BxF;AAED;;;;;;;GAOG;AACH,wBAAsB,yBAAyB,CAC7C,YAAY,EAAE,YAAY,EAC1B,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,QAAQ,EAChB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,OAAO,CAAC,CAwFlB"}

package/dist/src/shared/prompts.js

@@ -3,13 +3,23 @@ import { StepValidator, formatValidationResult } from "../yaml/step-validator.js
 import { MissingEnvHandler } from "../yaml/missing-env-handler.js";
 import { MissingEnvironmentVariableError } from "../yaml/env-resolver.js";
 /**
- * True only when stdin AND stdout are real TTYs. Sandboxed runs
- * (Tart guest via `tart exec`, CI pipelines, redirected shells) all
- * fail this check and therefore must never reach an interactive
- * prompt — hanging on an unanswerable question turns a clear error
- * into a silent timeout.
+ * True only when stdin AND stdout are real TTYs AND the caller has not
+ * explicitly opted out of interactivity.
+ *
+ * `process.stdin.isTTY` is unreliable as a sole signal: Tart guest
+ * sessions opened via `tart exec` attach a pseudo-TTY, so the check
+ * passes and the prompt runs — only for nobody to ever answer it. The
+ * runner sets `CIBUILD_NON_INTERACTIVE=1` (and the generic `CI=1` env
+ * is also honored) to make the override unambiguous regardless of
+ * whether the shell looks interactive.
  */
 export function isInteractiveTTY() {
+    if (process.env.CIBUILD_NON_INTERACTIVE === '1' ||
+        process.env.CIBUILD_NON_INTERACTIVE === 'true' ||
+        process.env.CI === '1' ||
+        process.env.CI === 'true') {
+        return false;
+    }
     return Boolean(process.stdin.isTTY && process.stdout.isTTY);
 }
 /**

package/dist/src/yaml/step-validator.d.ts

@@ -34,12 +34,24 @@ export declare class StepValidator {
     private validateRequirement;
     /**
      * Extracts all $VAR and ${VAR} variable names referenced in an object recursively.
+     *
+     * `${{ secrets.X }}` / `${{ vars.X }}` references are deliberately ignored:
+     * those are resolved by the runner-side interpolator before cibuild sees
+     * the YAML (or by the dashboard's secrets-resolver on dispatch). Without
+     * this filter the inner regex would capture `{ secrets.X ` as if it were
+     * a `${VAR}` reference, producing garbled variable names in the
+     * missing-env error output.
      */
     private extractVariableReferences;
     /**
      * Replaces all unresolved $VAR and ${VAR} references with empty string.
      * Used as a lenient fallback when full interpolation fails, so that
      * getValidationRequirements can detect truly-missing variables correctly.
+     *
+     * `${{ ... }}` refs are left intact — they belong to the runner-side
+     * interpolator / dashboard secrets-resolver layer, not to shell-level
+     * variable substitution. Stripping them here would destroy the YAML for
+     * any downstream consumer that still expects to see them.
      */
     private stripUnresolvedVars;
     /**

package/dist/src/yaml/step-validator.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"step-validator.d.ts","sourceRoot":"","sources":["../../../src/yaml/step-validator.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH,OAAO,KAAK,EAAE,YAAY,EAA4B,MAAM,YAAY,CAAC;AACzE,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,KAAK,EAGV,wBAAwB,EAGzB,MAAM,uBAAuB,CAAC;AAwB/B;;;;GAIG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAe;IAC/B,OAAO,CAAC,QAAQ,CAAe;IAC/B,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,MAAM,CAAW;IACzB,OAAO,CAAC,WAAW,CAAc;IACjC,OAAO,CAAC,YAAY,CAAC,CAAS;IAG9B,OAAO,CAAC,gBAAgB,CAAoE;IAG5F,OAAO,CAAC,mBAAmB,CAA6B;gBAGtD,QAAQ,EAAE,YAAY,EACtB,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,QAAQ,EAChB,YAAY,CAAC,EAAE,MAAM;IAwBvB;;;OAGG;IACG,gBAAgB,IAAI,OAAO,CAAC,wBAAwB,CAAC;IA8M3D;;OAEG;YACW,mBAAmB;IAsDjC;;OAEG;IACH,OAAO,CAAC,yBAAyB;IAoBjC;;;;OAIG;IACH,OAAO,CAAC,mBAAmB;IAiB3B;;OAEG;IACH,OAAO,CAAC,SAAS;CA8BlB;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,wBAAwB,GAAG,MAAM,CA4D/E"}
+{"version":3,"file":"step-validator.d.ts","sourceRoot":"","sources":["../../../src/yaml/step-validator.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH,OAAO,KAAK,EAAE,YAAY,EAA4B,MAAM,YAAY,CAAC;AACzE,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,KAAK,EAGV,wBAAwB,EAGzB,MAAM,uBAAuB,CAAC;AAwB/B;;;;GAIG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAe;IAC/B,OAAO,CAAC,QAAQ,CAAe;IAC/B,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,MAAM,CAAW;IACzB,OAAO,CAAC,WAAW,CAAc;IACjC,OAAO,CAAC,YAAY,CAAC,CAAS;IAG9B,OAAO,CAAC,gBAAgB,CAAoE;IAG5F,OAAO,CAAC,mBAAmB,CAA6B;gBAGtD,QAAQ,EAAE,YAAY,EACtB,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,QAAQ,EAChB,YAAY,CAAC,EAAE,MAAM;IAwBvB;;;OAGG;IACG,gBAAgB,IAAI,OAAO,CAAC,wBAAwB,CAAC;IA8M3D;;OAEG;YACW,mBAAmB;IAsDjC;;;;;;;;;OASG;IACH,OAAO,CAAC,yBAAyB;IAsBjC;;;;;;;;;OASG;IACH,OAAO,CAAC,mBAAmB;IAoB3B;;OAEG;IACH,OAAO,CAAC,SAAS;CA8BlB;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,wBAAwB,GAAG,MAAM,CA4D/E"}

package/dist/src/yaml/step-validator.js

@@ -285,13 +285,22 @@ export class StepValidator {
     }
     /**
      * Extracts all $VAR and ${VAR} variable names referenced in an object recursively.
+     *
+     * `${{ secrets.X }}` / `${{ vars.X }}` references are deliberately ignored:
+     * those are resolved by the runner-side interpolator before cibuild sees
+     * the YAML (or by the dashboard's secrets-resolver on dispatch). Without
+     * this filter the inner regex would capture `{ secrets.X ` as if it were
+     * a `${VAR}` reference, producing garbled variable names in the
+     * missing-env error output.
      */
     extractVariableReferences(obj) {
         const vars = new Set();
         if (typeof obj === 'string') {
+            // Strip `${{ ... }}` refs first so they can't be mis-matched as `${VAR}`.
+            const sanitized = obj.replace(/\$\{\{[^}]*\}\}/g, '');
             const pattern = /\$\{([^}]+)\}|\$([A-Z_][A-Z_0-9]*)/g;
             let match;
-            while ((match = pattern.exec(obj)) !== null) {
+            while ((match = pattern.exec(sanitized)) !== null) {
                 vars.add(match[1] || match[2]);
             }
         }
@@ -313,10 +322,18 @@ export class StepValidator {
      * Replaces all unresolved $VAR and ${VAR} references with empty string.
      * Used as a lenient fallback when full interpolation fails, so that
      * getValidationRequirements can detect truly-missing variables correctly.
+     *
+     * `${{ ... }}` refs are left intact — they belong to the runner-side
+     * interpolator / dashboard secrets-resolver layer, not to shell-level
+     * variable substitution. Stripping them here would destroy the YAML for
+     * any downstream consumer that still expects to see them.
      */
     stripUnresolvedVars(obj) {
         if (typeof obj === 'string') {
-            return obj.replace(/\$\{[^}]+\}|\$[A-Z_][A-Z_0-9]*/g, '');
+            // `(?!\{)` prevents `\$\{[^}]+\}` from matching a leading `${` of
+            // `${{ ... }}` and stripping the inner content. Plain `$VAR` and
+            // `${VAR}` are still stripped as before.
+            return obj.replace(/\$\{(?!\{)[^}]+\}|\$[A-Z_][A-Z_0-9]*/g, '');
         }
         if (Array.isArray(obj)) {
             return obj.map((item) => this.stripUnresolvedVars(item));

package/dist/src/yaml/steps/cache.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cache.d.ts","sourceRoot":"","sources":["../../../../src/yaml/steps/cache.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,gBAAgB,EAAE,MAAM,WAAW,CAAC;AAC7C,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAkBxD;;;;;;GAMG;AACH,MAAM,WAAW,WAAW;IAC1B,4HAA4H;IAC5H,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,sHAAsH;IACtH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,yGAAyG;IACzG,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,eAAO,MAAM,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,CAUrD,CAAC;AA8DF;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,qBAAqB,CAAC,EAAE,OAAO,CAAC;CACjC;AAED;;;GAGG;AACH,qBAAa,qBAAsB,SAAQ,gBAAgB;IACnD,OAAO,CAAC,MAAM,EAAE,eAAe,EAAE,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,EAAE,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC;YAsGzF,iBAAiB;CA8KhC;AAED;;;GAGG;AACH,qBAAa,qBAAsB,SAAQ,gBAAgB;IACnD,OAAO,CAAC,MAAM,EAAE,eAAe,EAAE,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,EAAE,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC;YA4JzF,iBAAiB;CA6HhC"}
+{"version":3,"file":"cache.d.ts","sourceRoot":"","sources":["../../../../src/yaml/steps/cache.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,gBAAgB,EAAE,MAAM,WAAW,CAAC;AAC7C,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAkBxD;;;;;;GAMG;AACH,MAAM,WAAW,WAAW;IAC1B,4HAA4H;IAC5H,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,sHAAsH;IACtH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,yGAAyG;IACzG,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,eAAO,MAAM,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,CAUrD,CAAC;AA8DF;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,qBAAqB,CAAC,EAAE,OAAO,CAAC;CACjC;AAED;;;GAGG;AACH,qBAAa,qBAAsB,SAAQ,gBAAgB;IACnD,OAAO,CAAC,MAAM,EAAE,eAAe,EAAE,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,EAAE,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC;YAsGzF,iBAAiB;CAsLhC;AAED;;;GAGG;AACH,qBAAa,qBAAsB,SAAQ,gBAAgB;IACnD,OAAO,CAAC,MAAM,EAAE,eAAe,EAAE,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,EAAE,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC;YA4JzF,iBAAiB;CA2IhC"}

package/dist/src/yaml/steps/cache.js

@@ -252,6 +252,10 @@ export class CachePullStepExecutor extends BaseStepExecutor {
             commands.push('  echo "Cache file size: $(du -h "$CACHE_FILE" | cut -f1)"');
         }
         commands.push('  zstd -dc "$CACHE_FILE" | tar -xf - -C /');
+        // LRU bump: lift this tarball to the top of `ls -t` so retention's age
+        // cap counts last-used time, not last-written. Without this, a tarball
+        // hit daily would still be reaped on its 31st day from creation.
+        commands.push('  touch "$CACHE_FILE"');
         commands.push('  echo "CACHE_SOURCE=local CACHE_KEY=$CACHE_KEY"');
         // 2. Peer hit — tee to warm local cache while extracting in one pass
         if (peerCacheDir) {
@@ -301,6 +305,10 @@ export class CachePullStepExecutor extends BaseStepExecutor {
             commands.push('      echo "Fallback size: $(du -h "$__ci_fb" | cut -f1)"');
         }
         commands.push('      zstd -dc "$__ci_fb" | tar -xf - -C /');
+        // LRU bump for the fallback tarball — we restored from it, so it earns
+        // its place at the top of the retention sort even if the exact-key
+        // tarball is the one that gets created in this run's cache-push.
+        commands.push('      touch "$__ci_fb"');
         commands.push('      echo "CACHE_SOURCE=fallback_$__ci_fb_src CACHE_KEY=$CACHE_KEY FALLBACK_KEY=$__ci_fb_key"');
         commands.push('    else');
         commands.push('      echo "Cache fallback candidate $__ci_fb_key is ${__ci_fb_age_days}d old, exceeds 30d cap — going cold"');
@@ -541,34 +549,48 @@ export class CachePushStepExecutor extends BaseStepExecutor {
             commands.push('fi');
         }
         commands.push('');
-        // Skip if cache already exists for this key
-        commands.push('if [ -f "$CACHE_FILE" ]; then');
-        commands.push('  echo "Cache already up to date for key: $CACHE_KEY"');
-        commands.push('elif [ ${#PATHS_TO_CACHE[@]} -gt 0 ]; then');
+        // Always re-archive on success: ~/.gradle/caches and friends are
+        // write-through accumulators — same fingerprint key does NOT imply
+        // unchanged contents (Gradle's build-cache-1 keeps appending task
+        // outputs as sources change). Skipping here would freeze the tarball
+        // at first-mint and let it drift further from current state on every
+        // build. Atomic .tmp + mv overwrites any prior tarball under this key.
+        commands.push('if [ ${#PATHS_TO_CACHE[@]} -gt 0 ]; then');
         commands.push('  echo "Caching ${#PATHS_TO_CACHE[@]} path(s)..."');
-        // Atomic write: compress to .tmp, then mv. No lock needed — runs are
-        // serialized per runner and cross-writer races resolve to last-writer-wins
-        // without corruption. shlock was flaky on the virtiofs cache mount.
         commands.push('  tar -cf - "${PATHS_TO_CACHE[@]}" 2>/dev/null | zstd -3 > "$CACHE_FILE.tmp" && mv "$CACHE_FILE.tmp" "$CACHE_FILE" || true');
         commands.push('  if [ -f "$CACHE_FILE" ]; then');
         commands.push('    echo "Cache created successfully"');
         if (isDebugMode) {
             commands.push('    echo "Cache size: $(du -h "$CACHE_FILE" | cut -f1)"');
         }
-        // Retention: keep 5 newest tarballs per <keyPrefix>-<projectId> scope,
-        // delete older ones to bound disk usage. Runs inline after every push;
-        // no cron required.
+        // Retention per-scope: (1) keep N newest by mtime — touched on hit in
+        // cache-pull so this is LRU, not strictly creation-order; (2) delete
+        // anything past the age cap regardless of position; (3) enforce a size
+        // budget, oldest-out. Two passes are required: the size pass needs the
+        // post-cleanup set, otherwise its running sum counts tarballs that the
+        // count/age pass is about to delete and over-evicts.
         commands.push('    __ci_ret_scope="${CACHE_KEY%-*}"');
-        // `|| true` guards against pipefail when ls matches nothing (first push
-        // for a new scope) — otherwise the step would silently exit non-zero.
-        commands.push('    __ci_ret_old=$(ls -t "$CACHE_DIR"/"$__ci_ret_scope"-*.tar.zst 2>/dev/null | tail -n +6 || true)');
-        commands.push('    if [ -n "$__ci_ret_old" ]; then');
-        commands.push('      __ci_ret_count=$(printf "%s\\n" "$__ci_ret_old" | wc -l | tr -d " ")');
-        commands.push('      echo "Retention: removing $__ci_ret_count older tarball(s) from scope $__ci_ret_scope"');
-        commands.push('      printf "%s\\n" "$__ci_ret_old" | while IFS= read -r __ci_ret_f; do');
-        commands.push('        [ -f "$__ci_ret_f" ] && rm -f "$__ci_ret_f"');
-        commands.push('      done');
-        commands.push('    fi');
+        commands.push('    __ci_ret_count_cap=5');
+        commands.push('    __ci_ret_age_cap=$((30 * 86400))');
+        commands.push('    __ci_ret_size_cap_kb="${CIBUILD_CACHE_SCOPE_BUDGET_KB:-10485760}"');
+        commands.push('    __ci_ret_now=$(date +%s)');
+        commands.push('    __ci_ret_idx=0');
+        commands.push('    while IFS= read -r __ci_ret_f; do');
+        commands.push('      __ci_ret_idx=$((__ci_ret_idx + 1))');
+        commands.push('      __ci_ret_age=$(( __ci_ret_now - $(stat -f %m "$__ci_ret_f" 2>/dev/null || echo "$__ci_ret_now") ))');
+        commands.push('      if [ "$__ci_ret_idx" -gt "$__ci_ret_count_cap" ] || [ "$__ci_ret_age" -gt "$__ci_ret_age_cap" ]; then');
+        commands.push('        rm -f "$__ci_ret_f"');
+        commands.push('      fi');
+        commands.push('    done < <(ls -t "$CACHE_DIR"/"$__ci_ret_scope"-*.tar.zst 2>/dev/null)');
+        commands.push('    __ci_ret_running_kb=0');
+        commands.push('    while IFS= read -r __ci_ret_f; do');
+        commands.push('      __ci_ret_size=$(du -k "$__ci_ret_f" 2>/dev/null | cut -f1)');
+        commands.push('      __ci_ret_size=${__ci_ret_size:-0}');
+        commands.push('      __ci_ret_running_kb=$((__ci_ret_running_kb + __ci_ret_size))');
+        commands.push('      if [ "$__ci_ret_running_kb" -gt "$__ci_ret_size_cap_kb" ]; then');
+        commands.push('        rm -f "$__ci_ret_f"');
+        commands.push('      fi');
+        commands.push('    done < <(ls -t "$CACHE_DIR"/"$__ci_ret_scope"-*.tar.zst 2>/dev/null)');
         commands.push('  else');
         commands.push('    echo "Warning: Failed to create cache file"');
         commands.push('  fi');

package/dist/src/yaml/steps/steps.test.js

@@ -379,20 +379,21 @@ describe('Step Implementations', () => {
             expect(result.script).toContain('> "$CACHE_FILE.tmp"');
             expect(result.script).toContain('mv "$CACHE_FILE.tmp" "$CACHE_FILE"');
         });
-        test('should sweep retention (keep 5 newest per scope) after successful push', async () => {
+        test('should sweep retention (count + age + size budget) after successful preset push', async () => {
             const executor = new CachePushStepExecutor();
             const result = await executor.execute({ technology: 'kmm' }, {}, testConfig);
-            // Scope = prefix + projectId; retention globs that scope and keeps 5 newest
             expect(result.script).toContain('__ci_ret_scope="${CACHE_KEY%-*}"');
             expect(result.script).toContain('ls -t "$CACHE_DIR"/"$__ci_ret_scope"-*.tar.zst');
-            expect(result.script).toContain('tail -n +6');
+            expect(result.script).toContain('__ci_ret_count_cap=5');
+            expect(result.script).toContain('__ci_ret_age_cap=$((30 * 86400))');
+            expect(result.script).toContain('CIBUILD_CACHE_SCOPE_BUDGET_KB');
             expect(result.script).toContain('rm -f "$__ci_ret_f"');
         });
         test('should not run retention for manual cache_key push (no scope)', async () => {
             const executor = new CachePushStepExecutor();
             const result = await executor.execute({ cache_key: 'my-key', cache_paths: ['build'] }, {}, testConfig);
             expect(result.script).not.toContain('__ci_ret_scope');
-            expect(result.script).not.toContain('tail -n +6');
+            expect(result.script).not.toContain('__ci_ret_count_cap');
         });
         test('should use atomic write (tmp + mv) for manual cache_key push', async () => {
             const executor = new CachePushStepExecutor();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@invarn/cibuild",
-  "version": "1.5.4",
+  "version": "1.5.6",
   "description": "CI Build CLI — local pipeline orchestration and validation",
   "type": "module",
   "main": "dist/cli.cjs",