Merge 3b3fb41561 into b45623637f

Offer a strategy to reduce cache churn
2026-06-14 17:04:10 +08:00 · 2026-01-29 11:46:34 +01:00 · 2025-08-07 23:20:34 -07:00
4 changed files with 30 additions and 149 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -20,7 +20,7 @@ jobs:

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4
+      uses: github/codeql-action/init@v3
      # Override language selection by uncommenting this and choosing your languages
      # with:
      #   languages: go, javascript, csharp, python, cpp, java, ruby
@@ -28,7 +28,7 @@ jobs:
    # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
    # If this step fails, then you should remove it and run the build manually (see below).
    - name: Autobuild
-      uses: github/codeql-action/autobuild@v4
+      uses: github/codeql-action/autobuild@v3

    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -42,4 +42,4 @@ jobs:
    #     make release

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4
+      uses: github/codeql-action/analyze@v3
--- a/.github/workflows/workflow.yml
+++ b/.github/workflows/workflow.yml
@@ -90,86 +90,15 @@ jobs:
    runs-on: ubuntu-latest
    container:
      image: ubuntu:latest
-      options: --cap-add=NET_ADMIN
+      options: --dns 127.0.0.1
    services:
      squid-proxy:
        image: ubuntu/squid:latest
        ports:
          - 3128:3128
    env:
-      http_proxy: http://squid-proxy:3128
      https_proxy: http://squid-proxy:3128
    steps:
-    - name: Wait for proxy to be ready
-      shell: bash
-      run: |
-        echo "Waiting for squid proxy to be ready..."
-        echo "Resolving squid-proxy hostname:"
-        getent hosts squid-proxy || echo "DNS resolution failed"
-        for i in $(seq 1 30); do
-          if (echo > /dev/tcp/squid-proxy/3128) 2>/dev/null; then
-            echo "Proxy is ready!"
-            exit 0
-          fi
-          echo "Attempt $i: Proxy not ready, waiting..."
-          sleep 2
-        done
-        echo "Proxy failed to become ready"
-        exit 1
-      env:
-        http_proxy: ""
-        https_proxy: ""
-    - name: Install dependencies
-      run: |
-        apt-get update
-        apt-get install -y iptables curl
-    - name: Verify proxy is working
-      run: |
-        echo "Testing proxy connectivity..."
-        curl -s -o /dev/null -w "%{http_code}" --proxy http://squid-proxy:3128 http://github.com || true
-        echo "Proxy verification complete"
-    - name: Block direct traffic (enforce proxy usage)
-      run: |
-        # Get the squid-proxy container IP
-        PROXY_IP=$(getent hosts squid-proxy | awk '{ print $1 }')
-        echo "Proxy IP: $PROXY_IP"
-        
-        # Allow loopback traffic
-        iptables -A OUTPUT -o lo -j ACCEPT
-        
-        # Allow traffic to the proxy container
-        iptables -A OUTPUT -d $PROXY_IP -j ACCEPT
-        
-        # Allow established connections
-        iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-        
-        # Allow DNS (needed for initial resolution)
-        iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
-        iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
-        
-        # Block all other outbound traffic (HTTP/HTTPS)
-        iptables -A OUTPUT -p tcp --dport 80 -j REJECT
-        iptables -A OUTPUT -p tcp --dport 443 -j REJECT
-        
-        # Log the iptables rules for debugging
-        iptables -L -v -n
-    - name: Verify direct HTTPS is blocked
-      run: |
-        echo "Testing that direct HTTPS requests fail..."
-        if curl --noproxy '*' -s --connect-timeout 5 https://github.com > /dev/null 2>&1; then
-          echo "ERROR: Direct HTTPS request succeeded - blocking is not working!"
-          exit 1
-        else
-          echo "SUCCESS: Direct HTTPS request was blocked as expected"
-        fi
-        
-        echo "Testing that HTTPS through proxy succeeds..."
-        if curl --proxy http://squid-proxy:3128 -s --connect-timeout 10 https://github.com > /dev/null 2>&1; then
-          echo "SUCCESS: HTTPS request through proxy succeeded"
-        else
-          echo "ERROR: HTTPS request through proxy failed!"
-          exit 1
-        fi
    - name: Checkout
      uses: actions/checkout@v5
    - name: Generate files
@@ -185,86 +114,15 @@ jobs:
    runs-on: ubuntu-latest
    container:
      image: ubuntu:latest
-      options: --cap-add=NET_ADMIN
+      options: --dns 127.0.0.1
    services:
      squid-proxy:
        image: ubuntu/squid:latest
        ports:
          - 3128:3128
    env:
-      http_proxy: http://squid-proxy:3128
      https_proxy: http://squid-proxy:3128
    steps:
-    - name: Wait for proxy to be ready
-      shell: bash
-      run: |
-        echo "Waiting for squid proxy to be ready..."
-        echo "Resolving squid-proxy hostname:"
-        getent hosts squid-proxy || echo "DNS resolution failed"
-        for i in $(seq 1 30); do
-          if (echo > /dev/tcp/squid-proxy/3128) 2>/dev/null; then
-            echo "Proxy is ready!"
-            exit 0
-          fi
-          echo "Attempt $i: Proxy not ready, waiting..."
-          sleep 2
-        done
-        echo "Proxy failed to become ready"
-        exit 1
-      env:
-        http_proxy: ""
-        https_proxy: ""
-    - name: Install dependencies
-      run: |
-        apt-get update
-        apt-get install -y iptables curl
-    - name: Verify proxy is working
-      run: |
-        echo "Testing proxy connectivity..."
-        curl -s -o /dev/null -w "%{http_code}" --proxy http://squid-proxy:3128 http://github.com || true
-        echo "Proxy verification complete"
-    - name: Block direct traffic (enforce proxy usage)
-      run: |
-        # Get the squid-proxy container IP
-        PROXY_IP=$(getent hosts squid-proxy | awk '{ print $1 }')
-        echo "Proxy IP: $PROXY_IP"
-        
-        # Allow loopback traffic
-        iptables -A OUTPUT -o lo -j ACCEPT
-        
-        # Allow traffic to the proxy container
-        iptables -A OUTPUT -d $PROXY_IP -j ACCEPT
-        
-        # Allow established connections
-        iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-        
-        # Allow DNS (needed for initial resolution)
-        iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
-        iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
-        
-        # Block all other outbound traffic (HTTP/HTTPS)
-        iptables -A OUTPUT -p tcp --dport 80 -j REJECT
-        iptables -A OUTPUT -p tcp --dport 443 -j REJECT
-        
-        # Log the iptables rules for debugging
-        iptables -L -v -n
-    - name: Verify direct HTTPS is blocked
-      run: |
-        echo "Testing that direct HTTPS requests fail..."
-        if curl --noproxy '*' -s --connect-timeout 5 https://github.com > /dev/null 2>&1; then
-          echo "ERROR: Direct HTTPS request succeeded - blocking is not working!"
-          exit 1
-        else
-          echo "SUCCESS: Direct HTTPS request was blocked as expected"
-        fi
-        
-        echo "Testing that HTTPS through proxy succeeds..."
-        if curl --proxy http://squid-proxy:3128 -s --connect-timeout 10 https://github.com > /dev/null 2>&1; then
-          echo "SUCCESS: HTTPS request through proxy succeeded"
-        else
-          echo "ERROR: HTTPS request through proxy failed!"
-          exit 1
-        fi
    - name: Checkout
      uses: actions/checkout@v5
    - name: Restore cache
--- a/caching-strategies.md
+++ b/caching-strategies.md
@@ -287,3 +287,26 @@ steps:
  - name: Publish package to public
    run: ./publish.sh
 ```
+
+### Saving cache only if the build runs on the default branch
+
+Workflow runs can restore caches created in either the current branch or the default branch (usually `main`) [Reference](https://docs.github.com/en/actions/reference/workflows-and-actions/dependency-caching#restrictions-for-accessing-a-cache).
+
+By restricting caches to the default branch, we can reduce the risk that Github evicts a cache created on the default branch. If that happens, every PR will create its own cache, increasing the cache churn.
+
+We can condition the execution of the `actions/cache/save` action on the current branch:
+
+```yaml
+steps:
+  - uses: actions/checkout@v3
+  .
+  . // restore if need be
+  .
+  - name: Build
+    run: /build.sh
+  - uses: actions/cache/save@v3
+    if: ${{ github.ref == 'refs/heads/main' }} // check we are on the default branch
+    with:
+      path: path/to/dependencies
+      key: ${{ runner.os }}-${{ hashFiles('**/lockfiles') }}
+```
--- a/examples.md
+++ b/examples.md
@@ -49,7 +49,7 @@
  with:
    path: |
      ~/.bun/install/cache
-    key: ${{ runner.os }}-bun-${{ hashFiles('**/bun.lock') }}
+    key: ${{ runner.os }}-bun-${{ hashFiles('**/bun.lockb') }}
 ```

 ### Windows
@@ -59,7 +59,7 @@
  with:
    path: |
      ~\.bun
-    key: ${{ runner.os }}-bun-${{ hashFiles('**/bun.lock') }}
+    key: ${{ runner.os }}-bun-${{ hashFiles('**/bun.lockb') }}
 ```

 ## C# - NuGet
Author	SHA1	Message	Date
Antoine Toulme	c35adbafba	Merge `3b3fb41561` into `b45623637f`	2026-01-29 11:46:34 +01:00
github-actions[bot]	3b3fb41561	Offer a strategy to reduce cache churn	2025-08-07 23:20:34 -07:00