From b0fb18e2d4ca2b5c3ea68108797f89dbd7472638 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rold=C3=A1n=20Betancort?= Date: Fri, 28 Oct 2022 20:21:59 +0200 Subject: [PATCH 1/4] also prevent poisoning in build building only downloads the deps needed by non-test code, which is a smaller subset. We fix it by calling go mod download before go build, which will get all dependencies --- .github/workflows/build-test.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml index 1dae612f2c..84ab257b30 100644 --- a/.github/workflows/build-test.yaml +++ b/.github/workflows/build-test.yaml @@ -43,6 +43,8 @@ jobs: with: go-version: "${{ env.GO_VERSION }}" cache: "true" + - name: "go mod download" # prevent CI cache poisoning by getting all deps + run: "go mod download" - uses: "authzed/actions/go-build@main" image-build: From c54723943e58270d3c16275fce3ca6d67d66df0a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rold=C3=A1n=20Betancort?= Date: Fri, 28 Oct 2022 19:30:14 +0100 Subject: [PATCH 2/4] do not cache protobuf since it downloads a handful of go modules --- .github/workflows/build-test.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml index 84ab257b30..aceac0cbf2 100644 --- a/.github/workflows/build-test.yaml +++ b/.github/workflows/build-test.yaml @@ -198,7 +198,6 @@ jobs: - uses: "actions/setup-go@v3" with: go-version: "${{ env.GO_VERSION }}" - cache: "true" - name: "Install Go Tools" run: "./hack/install-tools.sh" - uses: "authzed/actions/buf-generate@main" From 0c927de74407818a447ef5699ce5db9b25c29ce6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rold=C3=A1n=20Betancort?= Date: Fri, 28 Oct 2022 19:39:12 +0100 Subject: [PATCH 3/4] disable caching in wasm tests since it downloads a subset of modules --- .github/workflows/build-test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml index aceac0cbf2..e8192daa8e 100644 --- a/.github/workflows/build-test.yaml +++ b/.github/workflows/build-test.yaml @@ -184,7 +184,7 @@ jobs: - uses: "actions/setup-go@v3" with: go-version: "${{ env.GO_VERSION }}" - cache: "true" + cache: "false" # do not cache to prevent cache poisoning - name: "Install wasmbrowsertest" run: "go install github.com/agnivade/wasmbrowsertest@latest" - name: "Run WASM Tests" From 557e6b6dcf57915aa4d05700914c72b79e64be0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rold=C3=A1n=20Betancort?= Date: Thu, 3 Nov 2022 09:58:40 +0000 Subject: [PATCH 4/4] explicitly document why cache is disabled --- .github/workflows/build-test.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml index e8192daa8e..c8e906950b 100644 --- a/.github/workflows/build-test.yaml +++ b/.github/workflows/build-test.yaml @@ -198,6 +198,7 @@ jobs: - uses: "actions/setup-go@v3" with: go-version: "${{ env.GO_VERSION }}" + cache: "false" # do not cache to prevent cache poisoning - name: "Install Go Tools" run: "./hack/install-tools.sh" - uses: "authzed/actions/buf-generate@main"