Making the pull-request CI workflow faster #104
Comments
|
I think that this is related to #102: Because of rate limits, not all things that could be cached are cached, leading to higher build times. I don't see any good obvious solution. What we could try would be to use Cachix instead of MNC. That would mean creating a second cache on Cachix, e.g. "ngi-untrusted" which we allow to be writable from PRs. With this, we would not run into rate limits for PRs. We'd just have to check how we can have the builder fallback to the "ngi" cache in case the "ngi-untrusted" cache misses. |
|
Or perhaps explicit job approvals? |
|
Good idea. Even better if PRs by members would then be automatically approved. |
fricklerhandwerk
added
the
maintenance
|
Ah, I believe this is the issue I'm running into in #168 (https://github.com/ngi-nix/ngipkgs/pull/168/checks). CI runs correctly when PR is not based from a fork here (I had forgotten I have direct commit access to this repo.) If I understand correctly, this error ( |
|
How does it work on other repos that have a button "Approve and run"? |
Maybe I am misunderstanding you, but I don't think so. I think you are running into the permission issue with
No. Approval about GitHub Actions from forks is not about giving them the same permission as a repo-internal PR by a member, but about executing it at all. Quoting from the GitHub docs:
Here they emphasize that workflows from forks do not have access to sensitive data (this coincidentally also prevents them from commenting on the PR...), but can still be annoyance. Someone could fork NGIpkgs and create PR which contains a GitHub Actions workflow that mines cryptocurrencies. That's something that GitHub wants to avoid, so it requires the maintainers to approve.
This is correct, but not for the reason that you are suggesting. Instead we should merge #134 (of course I think that this should be preferred) or remove the
AFAIK this cannot be explicitly enabled/disabled. GitHub will decide whether approval should be required, and the default seems is to require approval for the first contribution from a non-member (see quote above). They might have changed that policy since they introduced it, but I haven't heard about that. The only other feature I know of where one can configure approvals is deployment, which I believe is not applicable in our case. I think the two earlier comments by @mightyiam and me were based on the assumption that approvals would somehow elevate privileges, but they don't. So, approvals in the sense of the "Approve and run" button won't help us solve our caching issue. |
|
Since #177, "internal" PRs are now just as fast as the workflow that previously ran on the "push" event, and they use Cachix. With #181 I am making the next step: Removing Magic Nix Cache in favor of two the Cachix caches (Edit: Fixed wrong reference to #104 instead of #181, sorry.) |
|
I think we've made good progress here, all workflows now use Cachix as was initially requested. @mightyiam if you agree feel free to close the issue, otherwise point me at jobs that are still taking too long for your taste. Thanks! |
|
I'll close it as completed, let's open new, more specific issues when needed. |
|
Thank you! |
From #55, I understand that cachix is much faster than magic nix cache (also from experience in this project).
Also from #55 I understand that there are some security concerns for which we have two workflows, pull-request with the slow magic-nix-cache and push with the fast cachix.
Is there any way we could mitigate the security concern so that we could have only fast workflows with cachix?
@lorenzleutgeb
The text was updated successfully, but these errors were encountered: