third_party/sandboxroot: add mirror tool
This mirrors the sandbox RPMs into a GCS bucket any time we regenerate
it. Hopefully this stops the constant barrage of random 404s when Fedora
just happened to bump a library and all the mirrors lost its previous
version.
This tool is currently specific to our bazeldnf-based sandboxroot setup,
but could be extended to mirror all of our dependencies at some point.
As our mirror is the last in the list, it should only be used when a
file is missing from other mirrors. In the future, we should have some
job that alerts us when too many of our deps are missing from upstream
mirrors.
Change-Id: I08ccbdf99ec868363918e30f3d2ae94f463e045f
Reviewed-on: https://review.monogon.dev/c/monogon/+/1473
Tested-by: Jenkins CI
Reviewed-by: Leopold Schabel <leo@monogon.tech>
diff --git a/third_party/sandboxroot/mirror/README.md b/third_party/sandboxroot/mirror/README.md
new file mode 100644
index 0000000..002d9ae
--- /dev/null
+++ b/third_party/sandboxroot/mirror/README.md
@@ -0,0 +1,37 @@
+sandboxroot mirror
+===
+
+Fedora mirrors tend to drop RPMs very quickly. As we don't want to be constantly
+chasing every single tiny update, we have decided to set up our own mirror on GCS.
+
+The mirror only contains RPMs that the sandboxroot actually uses, and is managed
+by running the `mirror` tool from this directory.
+
+Using the mirror
+---
+
+The mirror is enabled by default whenever you use Bazel (see repositories.bzl in this directory).
+
+Updating the mirror
+---
+
+Any time you run `third_party/sandboxroot/regenerate.sh`, the last step calls `mirror sync`. If that fails for some reason (eg. you were not logged into GCS), you can run it manually:
+
+```
+$ bazel run :mirror sync
+```
+
+Checking the mirror
+---
+
+If you want to just check whether everything's properly synced, you can run:
+
+```
+$ bazel run :mirror check
+```
+
+To do a full scan (downloading and checking SHA256 sums) do:
+
+```
+$ bazel run :mirror check --deep
+```