Please try out the Gradle build cache:
1. Create ...
# kotest-contributorsa
Adam S
06/23/2024, 11:33 AMPlease try out the Gradle build cache:
1. Create an init script in your GRADLE_USER_HOME directory (or if you don't have GRADLE_USER_HOME env var, in
~/.gradle/nano $GRADLE_USER_HOME/init.d/kotest-build-cache.init.gradle.kts Copy code
gradle.settingsEvaluated {
if (rootProject.name == "kotest") {
buildCache {
remote<HttpBuildCache> {
if (url != null) {
logger.warn("Kotest remote build cache is already configured. You might want to remove \$GRADLE_USER_HOME/init.d/kotest-build-cache.init.gradle.kts.")
} else {
logger.lifecycle("Configuring Kotest remote build cache!")
url = uri("<http://5.161.201.26:5071/cache>")
isAllowUntrustedServer = true
isAllowInsecureProtocol = true
isPush = false
}
}
}
}
}o
Oliver.O
06/23/2024, 11:38 AMWill do.
🚀 1
Oliver.O
06/23/2024, 11:51 AMOh, I'm sorry, I'd love to but I can't do that on my machine. Using the above would mean a supply chain risk as I would run executable code from an untrusted, publically accessible source locally. Or am I missing something?
Oliver.O
06/23/2024, 11:57 AMAn idea: Is the build cache just a normal HTTP-write-accessible URL? Then I could maybe try this with a local server.
a
Adam S
06/23/2024, 11:58 AMhmmm I really have to think about that. I guess that technically yes, you'd be downloading executable code. But practically, isn't that what happens already? If you checkout a PR and run the tests, then you're running executable code?
o
Oliver.O
06/23/2024, 12:00 PMYes. But I trust the repo plus the process plus the people. And it is source code I can review if in doubt.
a
Adam S
06/23/2024, 12:00 PMjust to clarify, pushing data to the build cache node is restricted
Adam S
06/23/2024, 12:01 PMcurrently only I and GitHub CI have pushed data (and technically Emil could, because he has access to the server)
o
Oliver.O
06/23/2024, 12:02 PMIf it's just you, I'd consider it safe. What's the mechanism blocking pushes from unknown folks?
a
Adam S
06/23/2024, 12:03 PMbtw I recognise that it's an important question, so I do want to take it seriously and figure out how best to make it secure and trustable
Adam S
06/23/2024, 12:04 PMThe build cache node has an admin console, and I can create users with username & password credentials. So I created read/write access for GitHub CI, and put them into GitHub secrets
👍 1
Adam S
06/23/2024, 12:05 PMEmil and I can connect to the server with SSH keys, and the build cache node is protected with a username/password
Adam S
06/23/2024, 12:05 PMand the build cache node is running with rootless Docker
Adam S
06/23/2024, 12:07 PMthe build cache node uses the official image https://hub.docker.com/r/gradle/build-cache-node/
o
Oliver.O
06/23/2024, 12:13 PMI'll do some research to familiarize myself with it.
Actually, my impression regarding supply chain risks is this:
So far, in the JVM/Maven universe we are somewhat lucky. We can usually trust our dependencies, and many people seem to go through changelogs before updating anything.
In the JS/NPM world, people don't, they just update to whatever (transitive) dependency is available. Malicious artifacts happen, like this one, which I was lucky enough to miss, but it was close (2-hour time window IIRC). Then additional checks were introduced, but people still have to use them properly.
a
Adam S
06/23/2024, 12:17 PMAnd yet Kotest has disabled yarn.lock blob thinking upside down https://github.com/kotest/kotest/blob/5234a310776eda23c1ee7b1d079d6105381a74c4/.gitignore#L48
o
Oliver.O
06/23/2024, 1:41 PMTrue, and we should probably change that. And also look what we can do for the Kotest Gradle plugin test project, where we have no easy way of manually running
gradlew kotlinUpgradeYarnLockOliver.O
06/23/2024, 3:21 PMSo I did some research: A CI-fed build cache, which is configured as you explained it, is totally OK.
Until then, I'm curious whether you notice a difference in build times.That's a bit hard with local testing, right? When my local build cache is up to date,
gradlew assemblea
Adam S
06/23/2024, 5:32 PMgreat, thanks for confirming 👍
Adam S
06/23/2024, 5:33 PMif we allow PR actions to cache their outputsThat will be the case, when the PR is merged.
Adam S
06/23/2024, 5:34 PMat the moment the impact will be limited
👍 1
e
Emil Kantis
06/24/2024, 10:23 AMWill the build cache work if we use different JVMs?
a
Adam S
06/24/2024, 11:28 AMnot always :( But it will still help.
Gradle 8.8 has a beta feature that might help https://docs.gradle.org/8.8/release-notes.html#gradle-daemon-jvm-configurable-via-toolchain, so Gradle will use a stable JDK. The feature isn't ideal yet, because doesn't auto-provision the required JDK, so I'm on the fence about enabling it.
e
Emil Kantis
06/24/2024, 11:29 AMOkay. Do you know if there's any easy way of ensuring we have the same JDK as the GH pipelines locally?
Emil Kantis
06/24/2024, 11:30 AMWe're also mixing temurin and adopt on GH. I think it would make sense to move all to temurin since adopt is discontinued?
a
Adam S
06/24/2024, 11:33 AMmoving to Temurin makes sense - although from a Gradle build POV I don't think the vendor makes a difference
Adam S
06/24/2024, 11:35 AMI think so long as the action has a setup-java step, then Gradle will use that version, but I'm not 100% sure
Adam S
06/24/2024, 11:36 AMthe JDK that Gradle uses can be set explicitly. In my
$GRADLE_USER_HOME/gradle.properties Copy code
# Try to help with Build Cache re-use by always using the same JDK
org.gradle.java.home=/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/e
Emil Kantis
06/24/2024, 12:16 PMWhat's left for the build cache PR? 🙂
Copy code
$ nslookup <http://gradle-build-cache.kotest.io|gradle-build-cache.kotest.io> 19s 13:38:35
Server: 2001:2042:fe60:5700::1
Address: 2001:2042:fe60:5700::1#53
Non-authoritative answer:
Name: <http://gradle-build-cache.kotest.io|gradle-build-cache.kotest.io>
Address: 5.161.201.26Emil Kantis
06/24/2024, 12:16 PMSSL cert?
a
Adam S
06/24/2024, 12:23 PMyes
12 Views