Skip to content

misc(gha): expose action cache url and runtime as secrets #2964

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
glegendre01 merged 11 commits into from
Nov 17, 2025
Merged

misc(gha): expose action cache url and runtime as secrets #2964

glegendre01 merged 11 commits into from
Nov 17, 2025
+15 −8

Conversation

@mfuntowicz
Copy link
Member

@mfuntowicz mfuntowicz commented Jan 29, 2025

Avoid leaking token and cache url

@mfuntowicz mfuntowicz requested a review from Narsil January 29, 2025 09:30
Narsil
Narsil reviewed Jan 29, 2025
View reviewed changes
.github/workflows/build.yaml
id: aws-creds
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
with:
role-to-assume: ${{ secrets.AWS_ROLE_GITHUB_BUILDX_CACHE }}
Copy link
Contributor

@Narsil Narsil Jan 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WE still had issues with those for release, isn't that why we remvoed it altogether ?

Copy link
Member Author

@mfuntowicz mfuntowicz Jan 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc @glegendre01

Copy link
Contributor

@glegendre01 glegendre01 Jan 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i increased the session time, but the run tests is failing now.

Copy link
Contributor

@Narsil Narsil Jan 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not about session time, it's also that the role couldn't be assumed on anything else than PRs.
Where we need to run the CI for building and pushing also on tags/main and basically any kind of branch.

Copy link
Contributor

@Narsil Narsil Jan 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So adding this crippled the release process.

Copy link
Contributor

@glegendre01 glegendre01 Feb 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can allow all branches if you need ?

Copy link
Contributor

@glegendre01 glegendre01 Feb 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's currently filtering on theses : refs/heads/main + refs/tags/v*

@mfuntowicz
Copy link
Member Author

mfuntowicz commented Feb 3, 2025

Maybe we should split the two scopes that we are addressing here:

  • Focus this PR on making GHA argument secrets and not ENV
  • Open a second PR to address the flakyness of AWS S3 stuff

wdyt @Narsil, @glegendre01 ?

Ryans-ui
Ryans-ui approved these changes Nov 14, 2025
View reviewed changes
Copy link

@Ryans-ui Ryans-ui left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1

@glegendre01
Remove actions_cache_url mount from Dockerfile
0f54e59 
Removed an unused mount for actions_cache_url in the Dockerfile.
@glegendre01
WIP
71f67fc
drbh
drbh approved these changes Nov 14, 2025
View reviewed changes
Copy link
Collaborator

@drbh drbh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@glegendre01 glegendre01 merged commit 85790a1 into main Nov 17, 2025
26 of 31 checks passed
@glegendre01 glegendre01 deleted the gha_sccache_use_secrets branch November 17, 2025 09:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@glegendre01 glegendre01 glegendre01 left review comments

@drbh drbh drbh approved these changes

+2 more reviewers

@Narsil Narsil Narsil left review comments

@Ryans-ui Ryans-ui Ryans-ui approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@mfuntowicz @Narsil @drbh @glegendre01 @Ryans-ui