I've operated as conservatively as possible in this space in terms of not changing behavior for broken symlinks... however, I do want to go ahead and break on broken symlinks. (And I want to do so in this PR.)

It won't change our caching population or restoration behavior in any way but it will result in a new error.

Thoughts?

(Converted to a draft PR to discuss our path forward here.)

It seems to me like breaking on a broken symlink would change our cache restoration behavior.

IIUC, the current state of the world is that we:

1. cache symlinks verbatim, including broken ones
2. on restore we unroll them (MkdirAll rather than SymLink)
3. In the event of a broken symlink, on restore, we skip it entirely (return godirwalk.SkipThis).

Note also that currently the restore behavior is shared w/ turbo prune.

My opinions on changing behavior:

1. cache restoration should mirror Put, we should restore the links verbatim
2. for the purposes of caching, we should not make any distinction about whether or not a link is broken
3. Ideal for prune would probably be to error on links that traverse out of the set of files we're copying? I think? I'm less sure on this one.

I think we want anything that changes behavior to be a separate PR though.

Our pre-#1354 symlink behavior is likely irredeemably broken and in my estimation should be disregarded.

Before #1354:

• We write files into the cache as files.
• We add another hardlink in the case of encountering a hard link.
• We write symlinks into the cache in a non-portable way:
  1. Determining the target of the symlink that we found in the output.
  2. Remove any pre-existing symlink from the cache directory at that path, which is weird and seems unnecessary.
  3. Creating a new symlink to existing symlink's target from the cache directory.
  4. Do no checking as to whether the symlink is broken or not.

I can't find anywhere it checked the target or forced it to be relative within the same output directory so I am pretty sure that it did not attempt to account for something like this:

// Might work, might not work:
os.Symlink("../vercel/turborepo/turbo.json", "relative-symlink")
relativeTarget, relativeErr := os.Readlink("./relative-symlink")
fmt.Printf("relativeTarget %v, relativeErr %v", relativeTarget, relativeErr)
// relativeTarget ../vercel/turborepo/turbo.json, relativeErr <nil>

// You can see where this is going to be a problem when it restores on your computer...
os.Symlink("/Users/nathanhammond/repos/vercel/turborepo/turbo.json", "absolute-symlink")
absoluteTarget, absoluteErr := os.Readlink("./absolute-symlink")
fmt.Printf("absoluteTarget %v, absoluteErr %v", absoluteTarget, absoluteErr)
// absoluteTarget /Users/nathanhammond/repos/vercel/turborepo/turbo.json, absoluteErr <nil>

The only "safe" implementation I can imagine for caching symlinks is if the target is relative, present, and within the same output directory (and therefore the same cache). As a result, I don't believe that any of our pre-#1354 caches that contained symlinks should have been treated as portable across systems.

Further, by including symlinks, we introduce an edge case for the tar handling that if the target within the archive doesn't exist on disk yet we have to take additional (recursive) passes until either everything is restored, or we discover that we can't do it.

After #1354:

• We write a file into the cache when we read a file.
• We write a file into the cache when we read a hardlink.
• We write a file into the cache when we read a symlink.
• We explicitly swallow the error and do nothing in the case of encountering a broken symlink.

Previously, since we called Lstat and copied the link we did not break when encountering broken symlinks—we simply didn't know anything about them. However, since it was now going to try and Stat them it would break. An additional clause was added in order to protect against that edge case. Valid symlink targets would be read correctly, broken symlinks would no longer be copied.

This was fine because, even pre-#1354, we did not restore broken symlinks so it doesn't matter if they make it into the cache or not (there was no user-detectable behavior change):

After #1369 my goal is:

• We write a file into the cache when we read a file. (No change.)
• We write a file into the cache when we read a hardlink. (No change.)
• We write a file into the cache when we read a symlink. (No change.)
• We throw the error in the case of encountering a broken symlink.

This makes user-apparent a scenario we have thus far silently ignored and reduces the complexity of the code.

Also, my apologies for not providing all of this context in the first pass. It's intended to be a small change, but the context in which the change is being made is significant.

Bonus failure mode that I just realized we need to account for: I suspect our hashes are run against the symlinks themselves in the output directory, not the thing that they target (I haven't looked).

I think it's valid to cache broken symlinks:

• A symlink could be broken at the time we read it, but not at the time of use.
• A task could be intending to symlink to some absolute path on the machine where the code will ultimately be deployed.
• A task could be linking to something marked as a global dependency, but not in our cache, and would be valid on restore.
• A user might just want a broken symlink for some reason

Unless there's some specific consequence to our own correctness, I do not think we should be failing caching or turbo runs because the task's output includes a broken symlink.

The problem with caching the symlinks themselves is that we can never be sure if they're portable across runs or systems and there is little we can do to resolve that.

• Turborebo in all published versions has silently skipped broken symlinks. In differing versions we have cached symlinks and the symlink targets.
• Bazel you have to explicitly opt in to caching broken symlinks --experimental_allow_unresolved_symlinks, and they control the symlink process for symlinks that they cache to enforce that they're project-aware.
• Gradle doesn't cache build outputs with broken symlinks and they cache by file.
• nx caches links via cp -a (which will cache a broken symlink), with transparent fallback from cp -a to fse.copy (which caches files and will error on broken symlinks).
• Can't quickly find info on Maven, but all of the examples of what people want to do with it are basically "subvert the DAG" with "this thing will eventually show up, promise" and it's terrifying. They're reporting errors where, because the DAG runs in an order they don't expect, the symlinks aren't present. (This reinforces my belief that "trust me, I've got it" is likely to go wrong and implicitly create DAG races.)
• Rush disallows symlinks in the cache entirely. (Search for "symlink".)

I feel like our solution should be "safe by default" with required explicit opt-in to dangerous behavior (caching symlinks, whether broken or not). I feel like Bazel's approach is the one we should head towards if we want to support symlinks.

The "correctness-focused" set of options:

• Bazel: Ensures correctness at the cost of verbosity to support symlinking, and an opt-in for broken symlinks.
• Gradle: Ensures correctness at the cost of cache space, with no opt-in for caching broken symlinks. (This mirrors Turborepo post-Disable linking. #1354.)
• Rush: Ensures correctness with a too-conservative solution.

I'm not sure that bazel and maven and gradle are necessarily the right comparisons, at least currently. Those are producing redistributable bundles. Each of our tasks doesn't necessarily produce something intended to be distributed on its own. We are caching intermediate states, in addition to final states.

Given that, I don't think it should be our responsibility to ensure that the links produced by user code are valid at any particular point in time. IMO it's a bug that we have any special treatment of symlinks.

But maybe I'm missing something about what's dangerous about caching symlinks?

Rather than testing that they are hard-linked, I think we ought to test that they exist? We could assert that the contents match too, although maybe that test belongs at a lower level, and we want to assert that our cache contains the files we think it should, and that they are in the right location.

As above, I think we should test that the file exists.

We've already checked for a non-nil err above.

It seems to me like breaking on a broken symlink would change our cache restoration behavior.

IIUC, the current state of the world is that we:

1. cache symlinks verbatim, including broken ones
2. on restore we unroll them (MkdirAll rather than SymLink)
3. In the event of a broken symlink, on restore, we skip it entirely (return godirwalk.SkipThis).

Note also that currently the restore behavior is shared w/ turbo prune.

My opinions on changing behavior:

1. cache restoration should mirror Put, we should restore the links verbatim
2. for the purposes of caching, we should not make any distinction about whether or not a link is broken
3. Ideal for prune would probably be to error on links that traverse out of the set of files we're copying? I think? I'm less sure on this one.

I think we want anything that changes behavior to be a separate PR though.