ci: replace manual zccache pip setup with zackees/zccache action#33
ci: replace manual zccache pip setup with zackees/zccache action#33
Conversation
Replace Swatinem/rust-cache + manual pip install/cache/start/stop with the unified zackees/zccache@main GitHub Action across all 7 workflow templates. Net -154/+49 lines. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
📝 WalkthroughWalkthroughSeven GitHub workflow files consolidate their zccache caching strategy by replacing manual setup steps ( Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~22 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 7
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/check-macos.yml:
- Around line 23-25: Replace the mutable action refs by pinning to audited
commit SHAs: locate the two uses entries referencing "zackees/zccache@main" and
"zackees/zccache/action/cleanup@main" in .github/workflows/check-macos.yml and
replace each "@main" with the corresponding full commit SHA for that action (use
the exact full-length commit hash you audited), ensuring both occurrences are
updated so the workflow uses immutable, reproducible action versions.
In @.github/workflows/check-ubuntu.yml:
- Around line 23-25: Replace the moving refs for the zackees actions with
immutable refs: change both occurrences of "uses: zackees/zccache@main" and
"uses: zackees/zccache/action/cleanup@main" to fixed commit SHAs (or an
immutable release tag) so the workflow is reproducible; locate the two "uses:"
lines in the workflow and update each to "zackees/zccache@<SHA>" and
"zackees/zccache/action/cleanup@<SHA>" respectively (use the audited commit SHAs
your repo policy requires).
In @.github/workflows/check-windows.yml:
- Around line 23-25: The workflow pins third-party actions to moving branches
("uses: zackees/zccache@main" and "uses: zackees/zccache/action/cleanup@main"),
which makes CI non-reproducible; update both references to immutable refs (audit
and replace each "zackees/zccache@main" and
"zackees/zccache/action/cleanup@main" with the corresponding commit SHA or
tagged release) so the actions are pinned to specific SHAs or stable tags.
In @.github/workflows/docs.yml:
- Around line 19-21: Replace the moving branches for the two actions so the
workflow is reproducible: change uses: zackees/zccache@main and uses:
zackees/zccache/action/cleanup@main to immutable pins (an audited commit SHA or
a stable release tag like `@vX`) — locate those two occurrences and replace the
`@main` suffixes with the chosen SHA or release tag.
In @.github/workflows/msrv.yml:
- Around line 17-19: Replace the two uses: entries that reference moving
branches (zackees/zccache@main and zackees/zccache/action/cleanup@main) with
immutable commit SHAs; locate the workflow step lines containing "uses:
zackees/zccache@main" and "uses: zackees/zccache/action/cleanup@main" and change
each to the corresponding commit SHA for the zccache repo (e.g., @<commit-sha>)
so the action is pinned and reproducible in CI.
In @.github/workflows/template_build.yml:
- Around line 38-41: The workflow uses mutable refs "zackees/zccache@main" and
"zackees/zccache/action/cleanup@main"; replace those with immutable refs
(audit-approved commit SHAs or fixed release tags) so the reusable template does
not track moving branches. Update the two uses entries (the "Setup zccache" step
and the cleanup step referencing "zackees/zccache/action/cleanup") to the chosen
commit SHAs or versioned tags and verify the SHAs/tags are recorded in repo
policy documentation.
In @.github/workflows/template_native_build.yml:
- Around line 63-66: Replace the mutable action refs so the workflow pins
third‑party actions to immutable revisions: change both occurrences of uses:
zackees/zccache@main and uses: zackees/zccache/action/cleanup@main to specific
commit SHAs or release tags (the audited SHA or tag for zackees/zccache) in
.github/workflows/template_native_build.yml (and apply the same replacement in
.github/workflows/template_build.yml and .github/workflows/msrv.yml); ensure the
new refs are exact SHAs or stable tags to match how other actions are pinned.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 2f2d8e8a-bf71-4726-8bda-65ea0ea704dd
📒 Files selected for processing (7)
.github/workflows/check-macos.yml.github/workflows/check-ubuntu.yml.github/workflows/check-windows.yml.github/workflows/docs.yml.github/workflows/msrv.yml.github/workflows/template_build.yml.github/workflows/template_native_build.yml
| uses: zackees/zccache@main | ||
| with: | ||
| shared-key: ${{ runner.os }}-check |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n .github/workflows/check-macos.yml | sed -n '20,40p'Repository: FastLED/fbuild
Length of output: 667
🌐 Web query:
GitHub Actions security best practices pin to commit SHA vs branch
💡 Result:
For GitHub Actions security best practices, pin actions to a full-length commit SHA rather than a branch or tag. This is the recommended approach because commit SHAs are immutable, preventing supply chain attacks where a malicious actor could update a tag or branch to include backdoors. Branches like 'main' and tags like 'v4' are mutable and can be force-pushed or retagged. Official GitHub documentation explicitly states: "Pinning an action to a full-length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository." Verify the SHA is from the original repository, not a fork. Example: - Instead of: uses: actions/checkout@v4 or uses: actions/checkout@main - Use: uses: actions/checkout@11bd719 # v4.2.2 GitHub provides organization and repository policies to enforce SHA pinning, blocking workflows that use unpinned actions. For trusted creators (e.g., verified on GitHub Marketplace), tags may be acceptable but are less secure. To update pinned SHAs, use Dependabot or tools like Renovate, which support SHA updates. Note that Dependabot security alerts work only for semantic version tags, not SHAs.
Citations:
- 1: https://docs.github.com/en/actions/reference/security/secure-use
- 2: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
- 3: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/
- 4: https://www.stepsecurity.io/blog/pinning-github-actions-for-enhanced-security-a-complete-guide
- 5: https://www.romainlespinasse.dev/posts/github-actions-commit-sha-pinning/
- 6: https://github.com/ihs7/action-sha-pinned-actions
🌐 Web query:
zackees/zccache GitHub action
💡 Result:
zackees/zccache is a blazing fast C/C++ and Rust compiler cache tool, written in Rust, designed as a drop-in replacement for sccache and ccache, optimized for local-first use with daemon-based caching. It is in early development. It provides a composite GitHub Action for CI workflows that combines compiler caching (replacing mozilla-actions/sccache-action) and Rust toolchain caching (replacing Swatinem/rust-cache) using GitHub's native cache API via the zccache-gha crate. Usage example in GitHub Actions workflow YAML: uses: zackees/zccache@main with: shared-key: ${{ runner.os }} This installs zccache, sets up cache with the given key (e.g., per OS), and configures RUSTC_WRAPPER=zccache for Rust/C++ builds. It handles save/restore via GHA cache, avoiding separate cache actions. Install zccache locally via pip install zccache, curl install script from releases, or Cargo. Use as CMAKE_C_COMPILER_LAUNCHER=zccache or RUSTC_WRAPPER=zccache. It's used in FastLED/FastLED CI for faster builds, replacing sccache.
Citations:
- 1: https://github.com/zackees/zccache
- 2: https://pypi.org/project/zccache/1.0.28/
- 3: https://crates.io/crates/zccache-core
- 4: https://crates.io/crates/zccache-gha
- 5: https://linkedin.com/in/zachvorhies
- 6: https://pypi.org/project/zccache/1.1.20/
- 7: https://pypi.org/project/zccache/1.2.6/
Pin these third-party actions to immutable commit SHAs.
Both uses: zackees/zccache@main (line 23) and uses: zackees/zccache/action/cleanup@main (line 36) reference a mutable branch. GitHub's official security guidance recommends pinning actions to full-length commit SHAs to prevent non-reproducible builds and mitigate supply-chain risk where upstream changes could alter or break CI without any change in this repository.
Replace @main with an audited commit SHA for both actions.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/check-macos.yml around lines 23 - 25, Replace the mutable
action refs by pinning to audited commit SHAs: locate the two uses entries
referencing "zackees/zccache@main" and "zackees/zccache/action/cleanup@main" in
.github/workflows/check-macos.yml and replace each "@main" with the
corresponding full commit SHA for that action (use the exact full-length commit
hash you audited), ensuring both occurrences are updated so the workflow uses
immutable, reproducible action versions.
| uses: zackees/zccache@main | ||
| with: | ||
| shared-key: ${{ runner.os }}-check |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n .github/workflows/check-ubuntu.yml | sed -n '20,40p'Repository: FastLED/fbuild
Length of output: 667
Pin these third-party actions to immutable revisions.
Both uses: zackees/zccache@main (line 23) and uses: zackees/zccache/action/cleanup@main (line 36) track a moving branch. This makes the workflow non-reproducible and allows upstream changes to alter or break CI without any change in this repo. Pin both to audited commit SHAs or to whatever immutable release ref your repo policy allows.
Suggested change
- uses: zackees/zccache@main
+ uses: zackees/zccache@<audited-commit-sha>
...
- uses: zackees/zccache/action/cleanup@main
+ uses: zackees/zccache/action/cleanup@<audited-commit-sha>🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/check-ubuntu.yml around lines 23 - 25, Replace the moving
refs for the zackees actions with immutable refs: change both occurrences of
"uses: zackees/zccache@main" and "uses: zackees/zccache/action/cleanup@main" to
fixed commit SHAs (or an immutable release tag) so the workflow is reproducible;
locate the two "uses:" lines in the workflow and update each to
"zackees/zccache@<SHA>" and "zackees/zccache/action/cleanup@<SHA>" respectively
(use the audited commit SHAs your repo policy requires).
| uses: zackees/zccache@main | ||
| with: | ||
| shared-key: ${{ runner.os }}-check |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n .github/workflows/check-windows.yml | sed -n '20,40p'Repository: FastLED/fbuild
Length of output: 667
🏁 Script executed:
# Check other workflow files to see if there's a pinning pattern in the repo
find .github/workflows -name "*.yml" -type f | head -5Repository: FastLED/fbuild
Length of output: 262
🏁 Script executed:
# Check how actions are pinned in a few workflow files
rg 'uses:' .github/workflows/ -A 0 | head -20Repository: FastLED/fbuild
Length of output: 1691
🏁 Script executed:
# Check the entire check-windows.yml to see all action usage patterns
cat -n .github/workflows/check-windows.yml | head -40Repository: FastLED/fbuild
Length of output: 1117
🏁 Script executed:
# Check if there are any releases or tags used for zackees/zccache in the repo
rg 'zackees/zccache' .github/workflows/ -B 2 -A 2Repository: FastLED/fbuild
Length of output: 3872
🏁 Script executed:
# Check if there's any pinning to specific versions elsewhere, or documentation about this choice
rg '@v[0-9]|@[a-f0-9]{7,}' .github/workflows/ | head -20Repository: FastLED/fbuild
Length of output: 1208
🏁 Script executed:
# Check if there's a SECURITY.md or any documentation about why `@main` is used
ls -la .github/ | grep -i security
cat SECURITY.md 2>/dev/null || echo "No SECURITY.md found"Repository: FastLED/fbuild
Length of output: 78
🌐 Web query:
zackees/zccache GitHub releases versions tags
💡 Result:
The GitHub repository zackees/zccache (a blazing fast C++ compiler cache inspired by sccache and ccache, written in Rust, created March 8, 2026) has no published releases or listed tags visible in search results. It is in early development with last push on March 18, 2026. Install scripts reference https://github.com/zackees/zccache/releases/latest/, implying releases may exist but are not indexed or empty. No specific version tags like v1.0.0 are confirmed on GitHub. However, the related PyPI package "zccache" has multiple releases, including: - v1.2.6 - v1.1.20 - v1.1.13 - v1.0.28 - v1.0.26 - v1.0.2 (2026-03-10) - v1.0.1 (2026-03-09) - v1.0.0 (2026-03-09) PyPI wheels install native Rust binaries from the repo. Individual crate releases exist on crates.io (e.g., zccache-cli, zccache-download-protocol published around 2026-04-11).
Citations:
- 1: https://github.com/zackees/zccache
- 2: https://pypi.org/project/zccache/1.0.28/
- 3: https://pypi.org/project/zccache/1.1.20/
- 4: https://pypi.org/project/zccache/
- 5: https://pypi.org/project/zccache/1.2.6/
- 6: https://pypi.org/project/zccache/1.0.26/
Pin these third-party actions to immutable revisions.
Both uses: zackees/zccache@main and uses: zackees/zccache/action/cleanup@main track a moving branch. That makes this workflow non-reproducible and lets upstream changes alter or break CI without any change in this repo. Please pin both to audited commit SHAs, or to whatever immutable release ref your repo policy allows.
Suggested change
- uses: zackees/zccache@main
+ uses: zackees/zccache@<audited-commit-sha>
...
- uses: zackees/zccache/action/cleanup@main
+ uses: zackees/zccache/action/cleanup@<audited-commit-sha>Also applies to: 34-36
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/check-windows.yml around lines 23 - 25, The workflow pins
third-party actions to moving branches ("uses: zackees/zccache@main" and "uses:
zackees/zccache/action/cleanup@main"), which makes CI non-reproducible; update
both references to immutable refs (audit and replace each "zackees/zccache@main"
and "zackees/zccache/action/cleanup@main" with the corresponding commit SHA or
tagged release) so the actions are pinned to specific SHAs or stable tags.
| uses: zackees/zccache@main | ||
| with: | ||
| shared-key: docs |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cd /tmp/repo 2>/dev/null || cd / && find . -path './.github/workflows/docs.yml' -type f 2>/dev/null | head -1Repository: FastLED/fbuild
Length of output: 40
🏁 Script executed:
cat -n .github/workflows/docs.yml 2>/dev/null | head -50Repository: FastLED/fbuild
Length of output: 819
🏁 Script executed:
# Check for other workflow files to see repo's patterns on action pinning
find .github/workflows -name '*.yml' -o -name '*.yaml' 2>/dev/null | head -10Repository: FastLED/fbuild
Length of output: 452
🏁 Script executed:
# Look at other workflows to understand repo's pinning conventions
for f in $(find .github/workflows -name '*.yml' -o -name '*.yaml' 2>/dev/null); do
echo "=== $f ==="
rg 'uses:' "$f" | head -5
doneRepository: FastLED/fbuild
Length of output: 8419
Pin these third-party actions to immutable revisions.
Both uses: zackees/zccache@main (line 19) and uses: zackees/zccache/action/cleanup@main (line 28) track a moving branch. This makes the workflow non-reproducible and allows upstream changes to alter or break CI without any change in this repo. Pin both to audited commit SHAs or stable release tags (the repo's pattern for other actions is to use version pins like @v6).
Suggested change
- uses: zackees/zccache@main
+ uses: zackees/zccache@<commit-sha-or-tag>
with:
shared-key: docs
- name: Cleanup zccache
if: always()
- uses: zackees/zccache/action/cleanup@main
+ uses: zackees/zccache/action/cleanup@<commit-sha-or-tag>🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/docs.yml around lines 19 - 21, Replace the moving branches
for the two actions so the workflow is reproducible: change uses:
zackees/zccache@main and uses: zackees/zccache/action/cleanup@main to immutable
pins (an audited commit SHA or a stable release tag like `@vX`) — locate those two
occurrences and replace the `@main` suffixes with the chosen SHA or release tag.
| uses: zackees/zccache@main | ||
| with: | ||
| shared-key: msrv |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n .github/workflows/msrv.yml | head -30Repository: FastLED/fbuild
Length of output: 774
🏁 Script executed:
fd -i -t f -e md -e txt -e yml . .github | head -20Repository: FastLED/fbuild
Length of output: 813
🏁 Script executed:
rg -i "pin|action|security|workflow" --max-count 10 README.md CONTRIBUTING.md 2>/dev/null || trueRepository: FastLED/fbuild
Length of output: 1799
🏁 Script executed:
cat -n .github/workflows/README.mdRepository: FastLED/fbuild
Length of output: 2462
🏁 Script executed:
rg "uses:" .github/workflows/*.yml | head -30Repository: FastLED/fbuild
Length of output: 2299
Pin zackees/zccache actions to immutable commit SHAs.
Both uses: zackees/zccache@main and uses: zackees/zccache/action/cleanup@main track a moving branch. This breaks reproducibility and allows upstream changes to alter or break CI without any change to this repository. All other actions in this workflow (checkout, rust-toolchain, upload-artifact) are pinned to specific versions; zccache should be too.
Suggested change
- uses: zackees/zccache@main
+ uses: zackees/zccache@<commit-sha>
...
- uses: zackees/zccache/action/cleanup@main
+ uses: zackees/zccache/action/cleanup@<commit-sha>This also applies to line 24-26.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/msrv.yml around lines 17 - 19, Replace the two uses:
entries that reference moving branches (zackees/zccache@main and
zackees/zccache/action/cleanup@main) with immutable commit SHAs; locate the
workflow step lines containing "uses: zackees/zccache@main" and "uses:
zackees/zccache/action/cleanup@main" and change each to the corresponding commit
SHA for the zccache repo (e.g., @<commit-sha>) so the action is pinned and
reproducible in CI.
| - name: Setup zccache | ||
| uses: zackees/zccache@main | ||
| with: | ||
| path: ~/.zccache | ||
| key: zccache-${{ runner.os }}-${{ inputs.env-name }}-${{ github.sha }} | ||
| restore-keys: | | ||
| zccache-${{ runner.os }}-${{ inputs.env-name }}- | ||
| zccache-${{ runner.os }}- | ||
| shared-key: ${{ runner.os }}-${{ inputs.env-name }} |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n .github/workflows/template_build.ymlRepository: FastLED/fbuild
Length of output: 4367
Pin these third-party actions to immutable revisions.
Both uses: zackees/zccache@main (line 39) and uses: zackees/zccache/action/cleanup@main (line 94) track a moving branch. Since this is a reusable workflow template, mutable dependencies propagate to every caller. Pin both to audited commit SHAs, or to whatever immutable release ref your repo policy allows.
Suggested change
- uses: zackees/zccache@main
+ uses: zackees/zccache@<audited-commit-sha>- uses: zackees/zccache/action/cleanup@main
+ uses: zackees/zccache/action/cleanup@<audited-commit-sha>🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/template_build.yml around lines 38 - 41, The workflow uses
mutable refs "zackees/zccache@main" and "zackees/zccache/action/cleanup@main";
replace those with immutable refs (audit-approved commit SHAs or fixed release
tags) so the reusable template does not track moving branches. Update the two
uses entries (the "Setup zccache" step and the cleanup step referencing
"zackees/zccache/action/cleanup") to the chosen commit SHAs or versioned tags
and verify the SHAs/tags are recorded in repo policy documentation.
| - name: Setup zccache | ||
| uses: zackees/zccache@main | ||
| with: | ||
| key: ${{ inputs.target }}-v2 | ||
| shared-key: ${{ inputs.target }} |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
# First, check if the file exists and read lines 63-66 and 179-181
cat -n .github/workflows/template_native_build.yml | sed -n '60,70p;175,185p'Repository: FastLED/fbuild
Length of output: 744
🏁 Script executed:
# Check if this is a reusable workflow (has workflow_call trigger)
head -30 .github/workflows/template_native_build.yml
# Count all actions used in this file
echo "=== All GitHub Actions used in this file ==="
rg 'uses:' .github/workflows/template_native_build.ymlRepository: FastLED/fbuild
Length of output: 1162
🏁 Script executed:
# Look for policy docs, contributing guides, or security policies
fd -i -e md -e txt 'contributing\|security\|policy' | head -20
# Check other workflow files for comparison
echo "=== Sample of other workflows ==="
fd '\.yml$' .github/workflows | head -5 | while read file; do
echo "File: $file"
rg 'uses:' "$file" | head -3
echo ""
doneRepository: FastLED/fbuild
Length of output: 576
🏁 Script executed:
# Look for external action usage in all workflow files (not internal templates)
echo "=== External Actions used in workflows ==="
rg 'uses:.*@' .github/workflows/*.yml | grep -v 'uses: \./' | head -20Repository: FastLED/fbuild
Length of output: 1634
Pin these third-party actions to immutable revisions.
Both uses: zackees/zccache@main and uses: zackees/zccache/action/cleanup@main track a moving branch. In a reusable workflow template, that mutable dependency propagates to every caller. All other external actions in these templates use immutable pins (e.g., @v6, @stable); pin both zccache refs to audited commit SHAs or release tags for consistency.
This issue also appears in .github/workflows/template_build.yml and .github/workflows/msrv.yml.
Suggested change
- uses: zackees/zccache@main
+ uses: zackees/zccache@<audited-commit-sha>
...
- uses: zackees/zccache/action/cleanup@main
+ uses: zackees/zccache/action/cleanup@<audited-commit-sha>🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/template_native_build.yml around lines 63 - 66, Replace
the mutable action refs so the workflow pins third‑party actions to immutable
revisions: change both occurrences of uses: zackees/zccache@main and uses:
zackees/zccache/action/cleanup@main to specific commit SHAs or release tags (the
audited SHA or tag for zackees/zccache) in
.github/workflows/template_native_build.yml (and apply the same replacement in
.github/workflows/template_build.yml and .github/workflows/msrv.yml); ensure the
new refs are exact SHAs or stable tags to match how other actions are pinned.
1 participant
Summary
Swatinem/rust-cache@v2+ manualpip install zccache+actions/cachesave/restore with the unifiedzackees/zccache@mainGitHub Action across all 7 workflow templateszackees/zccache/action/cleanup@maincleanup step to all templatesRUSTC_WRAPPER: zccacheenv vars (handled by the action)Net -154/+49 lines.
Test plan
🤖 Generated with Claude Code
Summary by CodeRabbit