CI: Use GitHub actions cache in docker builds #5302
Conversation
|
Seems to work fine: https://github.com/iv-org/invidious/actions/runs/15012807593/job/42184935828?pr=5302#step:5:200. I may open another PR to improve the speed of https://github.com/iv-org/invidious/actions/runs/15012807593/workflow?pr=5302#L91 since it needs a different approach to be able to cache the layers, possible solution: https://stackoverflow.com/a/75544124 Adding cache to the |
That's an issue if you need to quickly patch a vulnerability in a package or dependency. |
There was a problem hiding this comment.
That's an issue if you need to quickly patch a vulnerability in a package or dependency.
Yeah this is a problem. Though Crystal and Invidious also doesn't have too many system dependencies so I'm not sure how large of a problem it'd really be.
The container for x86-64 already builds in ~ 5 minutes and 30 seconds which is imo is more than good enough for an automated image build. Any improvements to that is pretty negligible.
Instead I think it'll make more sense to optimize the arm64 build process (mainly by switching away from QEMU to the native arm runner on Github Actions) which takes almost 30 minutes to complete.
EDIT: Accidentally used the duration for building the test images during CI instead off the actual images for nightly/stable builds
Yeah, getting a vulnerability with the low amount of packages Invidious uses is pretty unlikely, but there is a still a possibility, some day, a vulnerability on some package may be released and abused, and if we wanted to release a fast fix with the package already patched on Alpine Linux repositories, we would need to delete the caches on https://github.com/iv-org/invidious/actions/caches?query=sort%3Acreated-desc manually before letting GH Actions build the Invidious container image, which doesn't seem practical at all. I was searching about how to only ignore cache for the
I'll go with this in a new PR instead. |
We already make use of the mount cache on e2df12b to speed up the compiling on Invidious, but we can also use Github actions for the Dockerfile, which caches packages installed using
apkand any other layer of the container that can be cached.For installed packages, it will always use the same cached version (if the cache has not been used on 7 days according to https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows#usage-limits-and-eviction-policy), so on each build, the packages are not going to be updated (https://docs.docker.com/build/cache/invalidation/#run-instructions). I personally think this is better to prevent a possible breakage on an updated package (which is probably not going to happen anyways because we use a specific alpine tag).