python-package-template icon indicating copy to clipboard operation
python-package-template copied to clipboard
verified publisher icon jenstroeger

feat: add pip cache

Open gabrielpiassetta opened this issue 2 years ago • 3 comments

Add pip cache to Setup python step

gabrielpiassetta avatar Jul 28 '23 18:07 gabrielpiassetta

Just to be sure: as per docs the

cache: 'pip'

seems to cache pip’s internal cache between workflows (and therefore between workflow VMs) of the same run — but that’s not stated explicitly. Is that correct?

Furthermore, note that SLSA Build Level 3 requires to

prevent runs from influencing one another, even within the same project.

The term “run” isn’t clearly defined, but we need to keep in mind that while the public PyPI artifactory is trusted, caches in between are not because modifications/tempering is invisible to us (see also cache poisoning). (And that includes an AWS Artifactory or the like!)

Also, looking at the runtimes of the Check change set workflow I get values (random sampling) ranging from 3m 55s, 4m 25s to 5m 31s, 6m 17s and up to 7m 7s, 8m 8s — with this change clocking in at 7m 45s:

Screenshot 2023-09-02 at 17 24 41

So, do we have a measurable impact resulting from this?

jenstroeger avatar Sep 02 '23 07:09 jenstroeger

@behnazh what do you think of this comment: https://github.com/pre-commit/pre-commit/issues/2847#issuecomment-1514683897

jenstroeger avatar Sep 08 '23 10:09 jenstroeger

@behnazh what do you think of this comment: pre-commit/pre-commit#2847 (comment)

This solution seems to have similar issues for build isolation. We have designed _build.yaml reusable workflow in a way to be fully isolated, e.g., by limiting the inputs to the workflow and not using any third-party GitHub Actions (except for the trusted Actions from GitHub itself). Enabling caching breaks the isolation security property.

behnazh avatar Oct 01 '23 08:10 behnazh