Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rate limit for web3signer_tests on CI #3812

Closed
michaelsproul opened this issue Dec 16, 2022 · 5 comments
Closed

Rate limit for web3signer_tests on CI #3812

michaelsproul opened this issue Dec 16, 2022 · 5 comments
Labels
infra-ci

Comments

@michaelsproul
Copy link
Member

Description

We're occasionally getting rate-limited calling the Github API to download the web3signer_tests. E.g. https://github.com/sigp/lighthouse/actions/runs/3708544134/jobs/6286220721

The code triggering the rate limit is:

lighthouse/testing/web3signer_tests/build.rs

Lines 35 to 45 in bf533c8

// Get the latest release of the web3 signer repo.
let latest_response: Value = client
.get("https://api.github.com/repos/ConsenSys/web3signer/releases/latest")
.send()
.await
.unwrap()
.error_for_status()
.unwrap()
.json()
.await
.unwrap();

Running that API call in a loop in my terminal I can trigger a 403 response by making more than 60 requests/second:

{"message":"API rate limit exceeded for x.x.x.x. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.)","documentation_url":"https://docs.github.com/rest/overview/resources-in-the-rest-api#rate-limiting"}

Steps to resolve

I think the best option would be to plumb the GITHUB_TOKEN into that build script so that it can use it to bypass the rate limit. The build script could read an optional secret from its env when it runs and add this to the request headers (when running locally the header would not be added).

I think if we do something like echo ${{ secrets.GITHUB_TOKEN }} >> $GITHUB_ENV that might be OK, as long as Github scrubs the token from the logs. Tokens are unique to each CI run and have very limited read permissions on pull requests. See: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
@michaelsproul michaelsproul mentioned this issue Dec 16, 2022
Closed
bors bot pushed a commit that referenced this issue Dec 20, 2022
@michaelsproul
Various CI fixes (#3813)
cb1eb76 
## Issue Addressed

Closes #3812
Closes #3750
Closes #3705
macladson pushed a commit to macladson/lighthouse that referenced this issue Jan 5, 2023
@michaelsproul @macladson
Various CI fixes (sigp#3813)
78bd301 
## Issue Addressed

Closes sigp#3812
Closes sigp#3750
Closes sigp#3705
@michaelsproul
Copy link
Member Author

michaelsproul commented Feb 15, 2023
edited
Loading

This is still an issue despite my fix. More debugging required

Maybe @antondlr could be tempted? 😏

Recent failure here: https://github.com/sigp/lighthouse/actions/runs/4180285702/jobs/7241123847

@michaelsproul michaelsproul reopened this Feb 15, 2023
@michaelsproul michaelsproul mentioned this issue Feb 15, 2023
Closed
@michaelsproul
Copy link
Member Author

I recall Anton saying that even authenticated requests are subject to a rate limit

@jimmygchen
Copy link
Member

ah ok looks like with authenticated request, you raised the limit from 60 per hour to 1000 per hour.

https://docs.github.com/en/rest/overview/resources-in-the-rest-api?apiVersion=2022-11-28#rate-limits-for-requests-from-github-actions

@jimmygchen jimmygchen mentioned this issue Apr 4, 2023
Closed
@jimmygchen
Copy link
Member

Pushed a fix in #4163 to only download the web3signer binary when need (web3signer-tests), and only download once. This should reduce the API calls.

bors bot pushed a commit that referenced this issue Apr 6, 2023
@jimmygchen
CI fix: move download web3signer binary out of build script (#4163)
4d17fb3 
## Issue Addressed

Attempt to fix #3812 

## Proposed Changes

Move web3signer binary download script out of build script to avoid downloading unless necessary. If this works, it should also reduce the build time for all jobs that runs compilation.
@jimmygchen
Copy link
Member

Resolved via #4163

ghost pushed a commit to oone-world/lighthouse that referenced this issue Jul 13, 2023
@jimmygchen
CI fix: move download web3signer binary out of build script (sigp#4163)
ba82ddd 
## Issue Addressed

Attempt to fix sigp#3812 

## Proposed Changes

Move web3signer binary download script out of build script to avoid downloading unless necessary. If this works, it should also reduce the build time for all jobs that runs compilation.
Woodpile37 pushed a commit to Woodpile37/lighthouse that referenced this issue Jan 6, 2024
@michaelsproul @Woodpile37
Various CI fixes (sigp#3813)
8e6ad3a 
## Issue Addressed

Closes sigp#3812
Closes sigp#3750
Closes sigp#3705
Woodpile37 pushed a commit to Woodpile37/lighthouse that referenced this issue Jan 6, 2024
@jimmygchen @Woodpile37
CI fix: move download web3signer binary out of build script (sigp#4163)
5724f0b 
## Issue Addressed

Attempt to fix sigp#3812 

## Proposed Changes

Move web3signer binary download script out of build script to avoid downloading unless necessary. If this works, it should also reduce the build time for all jobs that runs compilation.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
infra-ci
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jimmygchen @michaelsproul