-
-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
be nice to apache / avoid the tragedy of commons #39
Comments
https://github.com/actions/toolkit/tree/main/packages/tool-cache to do this in an action, or switch to https://github.com/marketplace/actions/setup-maven which IIUC already does this. |
No, see #36. https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows might be the easiest approach. I wondered if we could download via HTTP, which would be cheaper for the server (since we validate the checksum anyway), but this does not work at least for the main download site (did not check mirrors) $ curl -IL http://downloads.apache.org/maven/maven-3/3.9.9/binaries/apache-maven-3.9.9-bin.tar.gz
HTTP/1.1 301 Moved Permanently
Date: Fri, 25 Oct 2024 17:48:55 GMT
Server: Apache
Location: https://downloads.apache.org/maven/maven-3/3.9.9/binaries/apache-maven-3.9.9-bin.tar.gz
Content-Type: text/html; charset=iso-8859-1
HTTP/1.1 200 OK
Date: Fri, 25 Oct 2024 17:48:55 GMT
Server: Apache
Last-Modified: Sat, 17 Aug 2024 18:44:55 GMT
ETag: "8ae661-61fe578da5420"
Accept-Ranges: bytes
Content-Length: 9102945
Access-Control-Allow-Origin: *
Content-Type: application/x-gzip
|
Or we could use e.g. |
what particularly in there - there is nothing about this that i can see it is all reffering to setup-java? it mentions setup-java picks up some old maven version but I am taking about setup-*maven* which allows you to specify the maven version and uses the github tool-cache to avoid hammering systems (somehow). |
I think I may have also filed this against the wrong repo (although the same issue may well apply) I meant to file it against jenkins-security-scan but it appears that is a cut and paste of this anyway. |
e.g. (untested) release:
runs-on: ubuntu-latest
needs: [validate]
if: needs.validate.outputs.should_release == 'true'
steps:
- name: Check out
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up JDK
uses: actions/setup-java@v4
with:
distribution: temurin
java-version: 17
- name: Set up Maven
uses: stCarolas/setup-maven@v5
with:
maven-version: 3.9.9 |
|
the scalability of another solution could to use
Now it's possible to
Or manually to even cache the distribution:
|
Please no, not for a release workflow. We want to be sure everything is built from scratch. |
why? |
|
Noting jenkinsci/database-plugin#266 (comment) which is somewhat related |
Reproduction steps
The Jenkins security-scan reusable workflow downloads maven for every run.
this will hit a community maintained resource and is not nice.
https://en.wikipedia.org/wiki/Tragedy_of_the_commons
Just as we use our own mirror for maven artifacts we should be nicer to Apache for downloading maven (and presumable eclipse when downloading java)
Expected Results
we do not hit apache servers every time the workflow runs
Actual Results
we hit apache servers every time the workflow runs
Anything else?
this can also cause some issues e.g. -> https://github.com/jenkinsci/oic-auth-plugin/actions/runs/11518246235/job/32064586667
The text was updated successfully, but these errors were encountered: