Skip to content

make action caches immutable #1237

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

make action caches immutable #1237

wants to merge 1 commit into from

Conversation

ericLemanissier
Copy link

@ericLemanissier ericLemanissier commented Apr 10, 2025
edited
Loading

Description:
With this change, caches become immutable by appending the workflow run_id, which makes the actual key unique (appart from re-run)
The cache restore works because the primaryKey is a prefix anyway: https://github.com/actions/toolkit/blob/1b1e81526b802d1d641911393281c2fb45ed5f11/packages/cache/src/cache.ts#L67

This follows recommendations from https://github.com/actions/cache/blob/main/tips-and-workarounds.md#update-a-cache

Unused caches are removed after 7 days by github:
https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows#usage-limits-and-eviction-policy

This avoids users having to define unneeded permission actions: write

The problem with deleting a cache entry is that it requires to give actions: write permissions, which means the workflow has all these permissions and this is way too much, and not acceptable for a lot of projects.

CI results available in https://github.com/ericLemanissier/stale/pull/71/checks

Related issue:
fixes #1159
fixes #1133
fixes #1131

Check list:

  • Mark if documentation changes are required.
  • Mark if tests were added or updated to cover the changes.

@ericLemanissier
make action caches immutable
4c023f0 
With this change, caches become immutable by appending the workflow run_id, which makes the actual key unique (appart from re-run)
The cache restore works because the primaryKey is a prefix anyway:
https://github.com/actions/toolkit/blob/1b1e81526b802d1d641911393281c2fb45ed5f11/packages/cache/src/cache.ts#L67

This follows recommendations from https://github.com/actions/cache/blob/main/tips-and-workarounds.md#update-a-cache

Unused caches are removed after 7 days by github:
https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows#usage-limits-and-eviction-policy

This avoids users having to define unneeded permission `actions: write`
@ericLemanissier ericLemanissier requested a review from a team as a code owner April 10, 2025 13:51
This was referenced Apr 10, 2025
Closed
Open
Open
@Alberto2101b
Copy link

Alberto2101b commented Apr 14, 2025
edited
Loading

Description: With this change, caches become immutable by appending the workflow run_id, which makes the actual key unique (appart from re-run) The cache restore works because the primaryKey is a prefix anyway: https://github.com/actions/toolkit/blob/1b1e81526b802d1d641911393281c2fb45ed5f11/packages/cache/src/cache.ts#L67

This follows recommendations from https://github.com/actions/cache/blob/main/tips-and-workarounds.md#update-a-cache

Unused caches are removed after 7 days by github: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows#usage-limits-and-eviction-policy

This avoids users having to define unneeded permission actions: write

The problem with deleting a cache entry is that it requires to give actions: write permissions, which means the workflow has all these permissions and this is way too much, and not acceptable for a lot of projects.

CI results available in https://github.com/ericLemanissier/stale/pull/71/checks

Related issue: fixes #1159 fixes #1133 fixes #1131

Check list:

  • Mark if documentation changes are required.
  • Mark if tests were added or updated to cover the changes.

/

@ericLemanissier ericLemanissier mentioned this pull request May 7, 2025
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

actions: write is too permissive Error delete _state: [403] Resource not accessible by integration Stale workflow fails to override cache.
2 participants
@ericLemanissier @Alberto2101b