-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement CI improvements outlined in #3925 #5301
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
Hey! Thanks for submitting this pr! I'll take a look at this either today or over the weekend |
No rush, take your time :) And if there's anything that needs some more clarification, let me know |
This is really interesting. I'm still processing and reading through some parts of it, as this makes me read more docs than a usual PR, but there are some really good things here. The commit that I'm not sure it works as intended is the one modifying I'm still reading about the cache strategy, that's pretty cool. The matrix thing, I actually had done something really similar in our main development branch! The implementation is different, but I think it's the same intention: https://github.com/NomicFoundation/hardhat/blob/v-next/.github/workflows/v-next-ci.yml |
I'll continue reviewing this tomorrow |
I can definitely relate, GitHub Docs do have a tendency to pull one in 😅
I see! Thank you for providing this additional bit of context. It definitely makes much more sense to me now, and I understand the original intent better. My objective was to secure the repository against security breaches caused by script injection, and in this case the easiest way to achieve that was by avoiding 🆕 1911acf
In this setup, it would still be possible to execute arbitrary code on a runner, but it shouldn't have access to sensitive data. The GitHub token can only read the repo which is public already anyway, and to even obtain it one would have to scrape the memory. As for secrets, GitHub claims that unreferenced ones are wiped from memory altogether. I tested the new setup on a PR in my fork. The workflow run triggered on pull_request_target successfully posted a comment to the PR, while the one triggered on pull_request skipped that step as expected.
That's awesome! Yes, that looks exactly like what I was going for, too. One important thing I tried to preserve on this branch was the "laziness" of the package builds since there are quite a few combinations to consider, but the principle is the same 😄 Thank you so much for spending the time reviewing my proposals, greatly appreciated 🙇 |
e69f90b
to
684653b
Compare
I'm closing this PR as we agreed to:
|
Resolves #3925
Hi! I've noticed that you identified a couple of issues with your CI setup that you wanted addressed in #3925, and I'd love to help :)
As per the issue description, I included all of the improvements in a single PR - I aimed to contain each change in a separate commit to help you review them, but I'm also happy to split them up into separate PRs if it makes it easier for you.
Breakdown
✅ e27c940
I ensured that all the workflows that use
paths
filters include the workflow file itself in the filter value.✅ af96f4d
I replaced each occurrence of
$default-branch
withmain
. I've also tried to search for other similar instances of template syntax usage but didn't find any.✅ c56528a
I parallelized the
Lint
workflow using the matrix strategy. After the changes, the workflow consists of 2 jobs,Lint
andLint (docs)
. I noticed that linting root requires building custom eslint plugins while it's not necessary for the docs. I also decided to check dependency versions only when linting root.When I looked at the workflow, I noticed that linting was duplicated in three other workflows:
Check docs site
,Comment on lint failure
andPre-release tests
.❓ ac06514
I removed linting from the
Check docs site
workflow. After the changes, it only builds the docs. Let me know if that's OK.❓ ac06514
I also modified
Comment on lint failure
workflow. As I understand, it was triggered onpull_request_target
to enable commenting on a pull request. The same can be achieved with a workflow triggered by otherworkflow_run
s. I modified the workflow to be triggered wheneverLint
completes. The updated workflow continues only if theLint
workflow was triggered by a pull request and if it failed during one of the linting steps. This eliminates the duplication of work while maintaining the desired functionality.🟡 f750bb7
I only performed a basic review of the cache setup. The one thing I noticed was that we might be overriding the pnpm cache sometimes - e.g. when we build only a single package, the resulting cache might not have the dependencies other packages require. To counteract that, I extracted the env setup (pnpm install, node install, cache handling) to a helper action. Then, I applied the action wherever the pnpm cache was used. I configured it to work in restore-only mode by default, and I added a new
Populate cache
workflow, which is responsible for populating the cache. All in all, I wouldn't expect this to speed up the runtimes significantly, but it does create an environment for more intentional cache use.🟡 8927236
I did a light review and cleanup of workflow triggers, but there's definitely more room for improvement here.
As for other ideas for runtime improvements, setting up the cache restore to work with partial key matches might be an interesting idea. It should be simpler to implement now that there's only a single place that deals with the pnpm cache.
The usage of self-hosted runners might be interesting, too. Especially as a means to increase the availability of the runners (e.g. package builds might require ~70 runners for changes lower down the stack while the concurrency limit in GitHub on a free plan is 20).
🔴 I didn't address this in this PR. Would you mind clarifying the intention here? Is it to package up the dist dirs after package builds and expose them as artifacts? If so, I'd be happy to add it to the PR or create a follow-up one.
🟢 8de529a
I'd like to propose an alternative to templating. I turned all the package build (except core) workflows into a single one that uses a build matrix. The matrix is dynamically constructed at the beginning of the run to determine which packages need to be built and tested. I retrieve this information from the pnpm lockfile because it seemed simple enough. In this iteration, I decided to only look at the direct package dependencies, which seems to be sufficient as well.
The advantage of this approach is that there is only one workflow file to maintain, the dependencies between packages do not have to be hardcoded (e.gI discovered that
hardhat-truffle5
depends onhardhat-web3
, but modifying the latter wouldn't trigger the former's build before), and new packages will be pulled in automatically (e.g. I discovered thathardhat-toolbox-viem
wasn't being built before). The tradeoff is that the package builds are now delayed by the package discovery job (< 10s). Also, there is only one workflow to inspect in the Actions tab, which means fewer switches when inspecting a workflow run, but also, the workflow run history is collective.➕ 322f13c
Finally, I updated the GitHub Actions versions to ensure the latest ones are used. This will help clear any node version deprecation warnings you might have been seeing.
That's it for now; let me know what you think :)
Testing