Skip to content

Github Workflows Gotchas

Jump to bottom Edit New page
Cesar Varela edited this page Dec 20, 2023 · 1 revision

The proposed workflow contained in https://github.com/responsible-ai-collaborative/aiid/pull/2508 depends on the pull_request_target event that GitHub doesn't want you to use to run builds that have access to secrets as it is mentioned here: Avoid using this event if you need to build or run code from the pull request.

Gotchas specific to our implementation:

  • The full-build artifact is about 5GB, so it is impossible to properly cache it as the repository-wide limit for all the caches in GitHub is 10GB shared between all builds. There is an upload artifact action provided by GitHub that allows bigger sizes, but from my findings, it is slow.
  • It is not possible (or at least not easy to implement) the "clear cache and run build from latest commit" button, so we'll have to create empty commits or edit a random file.
  • The free runners from Github are a bit weaker than the Netlify box we currently use so we'll have to increase timouts a bit here and there to reduce flake.

Links of interest

This one is the most important:

https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

The source of the custom action that checks permissions:

https://michaelheap.com/access-secrets-from-forks/ https://michaelheap.com/github-actions-check-permission/

Extras:

https://github.blog/2020-08-03-github-actions-improvements-for-fork-and-pull-request-workflows/

Add a custom footer
Clone this wiki locally