cache VS checkout

Use the official actions/cache to implement the cache process.

Since GitHub offers a cache storage back-end supported by Docker, we use the gha cache type so that the cache storage is as close to our runners as possible. The mode=max option instructs Docker to cache even the intermediate build layers, not only those exported to the final image. And we also give our build image some (arbitrary) name.

We can use another amazing action provided by GitHub, actions/cache to cache our dependencies from our first job run and use that cache for subsequent jobs.

> with no persistent storage

There's https://github.com/actions/cache though?

Use Cache Actions: GitHub Actions provides cache actions that simplify caching implementation. The @actions/cache JavaScript library is a popular choice for managing caching in workflows. It offers flexible options for storing and retrieving cache artifacts based on keys, scopes, and paths.

GitHub maintain a set of repos called actions. One of which is called cache.

By utilizing the actions/cache action action, we implemented a strategy to store and retrieve dependencies, preventing redundant installations.

I do think it's good practice to enable caching, such that your script doesn't hit RubyGems / pip / npm / etc every time it runs.

That way at least the automation activity stays entirely within the GitHub / Azure network.

It looks like you can do that for Ruby by adding this:

https://github.com/actions/cache/blob/master/examples.md#rub...

    - uses: ruby/setup-ruby@v1

➜ getting-started-with-act git:(master) act -j build WARN ⚠ You are using Apple M1 chip and you have not specified container architecture, you might encounter issues while running act. If so, try running it with '--container-architecture linux/amd64'. ⚠ [Node.js CI/build] 🚀 Start image=node:16-buster-slim [Node.js CI/build] 🐳 docker pull image=node:16-buster-slim platform= username= forcePull=false [Node.js CI/build] 🐳 docker create image=node:16-buster-slim platform= entrypoint=["tail" "-f" "/dev/null"] cmd=[] [Node.js CI/build] 🐳 docker run image=node:16-buster-slim platform= entrypoint=["tail" "-f" "/dev/null"] cmd=[] [Node.js CI/build] ☁ git clone 'https://github.com/actions/setup-node' # ref=v3 [Node.js CI/build] ☁ git clone 'https://github.com/actions/cache' # ref=v3 [Node.js CI/build] ☁ git clone 'https://github.com/actions/upload-artifact' # ref=v3 [Node.js CI/build] ⭐ Run Main actions/checkout@v3 [Node.js CI/build] 🐳 docker cp src=/Users/andrewevans/Documents/projects/getting-started-with-act/. dst=/Users/andrewevans/Documents/projects/getting-started-with-act [Node.js CI/build] ✅ Success - Main actions/checkout@v3 [Node.js CI/build] ⭐ Run Main Use Node.js 16.x [Node.js CI/build] 🐳 docker cp src=/Users/andrewevans/.cache/act/actions-setup-node@v3/ dst=/var/run/act/actions/actions-setup-node@v3/ [Node.js CI/build] 🐳 docker exec cmd=[node /var/run/act/actions/actions-setup-node@v3/dist/setup/index.js] user= workdir= [Node.js CI/build] 💬 ::debug::isExplicit: [Node.js CI/build] 💬 ::debug::explicit? false

Here is an example in the wild: https://github.com/actions/checkout/actions/workflows/publis...

The snippet above creates a step called "Checkout repository", which uses the actions/checkout action. The @ character allows you to pin the version of the action - in this case, version v4. You can see previous and future versions in the checkout releases on GitHub.

I think a big part of the problem is the way one typically "installs" a GH action: by copy-pasting something from README of the action.

Let's have a look at a random official GH provided action:

https://github.com/actions/checkout

It lists the following snippet:

`uses: actions/checkout@v4`

Everyone will just copy paste this snippet and call it a day.

In case of npm/yarn deps, one would often do the same, and copy paste `yarn install foobar`, but then when installing, npm/yarn would create a lockfile and pin the version. Whereas there's no "installer" CLI for GH actions that would pin the version for you, you just copy-paste and git push.

To make things better, ideally, the owners of actions would update the workflows which release a new version of the GH action, to make it update README snippet with the sha256 of the most recent release.

It seems pretty awful that the de-facto way to use GitHub Actions is using git tags which are not immutable. For example to checkout code [1]:

- uses: actions/checkout@v4

Github does advise people to harden their actions by referring to git commit hashes [2] but Github currently only supports SHA-1 as hashing algorithm. Creating collisions with this hashing algo will be more and more affordable and I'm afraid that we will see attacks using the hash collisions during my lifetime.

I wish that they will add support for SHA-256 soon and wrote product feedback regarding it here: https://github.com/orgs/community/discussions/154056

If this resonates with you please go and give it a thumbs up :)

[1]: https://github.com/actions/checkout?tab=readme-ov-file#usage

[2]: https://docs.github.com/en/actions/security-for-github-actio...

GitHub Actions uses .yaml or .yml files to define workflows, similar to docker-compose.yml. In this case, we're using the latest Ubuntu distribution as the environment. We use version 4 of the actions/checkout action to check out our repository. We also install system dependencies required by some of the Python packages, such as poppler-utils for pdf2image and tesseract-ocr and libtesseract-dev for pytesseract. Since our project doesn't have database interaction, we don't need a services section. The remaining steps are self-explanatory. We then execute our bash script to check the codebase against our defined standards. We also supply environment variables and run the tests (which we'll write later). This CI/CD pipeline runs on every pull request or push to the utility branch.

GitAuto used v2, while v4 is the latest available according to the official GitHub Actions Checkout documentation. Another area for potential improvement.

I was checking out the actions/checkout repository, which is something most GitHub actions are bound to use, and navigated to the issues:

https://github.com/actions/checkout/issues

On the first page aline I found cryptocurrency scams, no effort issues, and outright spam, from days to months old. It is an official GitHub repository for one of their most popular actions in a major feature, with hundreds of watchers and thousands of forks and stars. Yet it looks completely abandoned. No wonder the state of spam on GitHub.

Manage branches via GitHub API without git command. You don't have to checkout repositories by actions/checkout

Checkout Action Documentation

What is actions/checkout and actions/setup-node