Insights not generated #133
Comments
|
Thanks for reporting @ben-manes. I’m looking into it. |
|
Thanks @varunsh-coder. It was a matrix run and I noticed both generated the same insights url, so maybe that confused it? (enabled on Caffeine Tests 11 and 17) |
|
@ben-manes it generates a single insights URL per workflow run, so that was not the issue. I re-ran the analysis and it worked fine. You can see the insights here: https://app.stepsecurity.io/github/ben-manes/caffeine/actions/runs/2248437529 I will investigate why it did not generate it the first time. I think it was a transient error fetching workflow details from GitHub API. Thanks for trying out harden-runner! I did notice the large number of annotations for |
|
okay, awesome! You are welcome to close this then 🙂 |
|
hmm.. after trying a run with the suggested block list it fails with connection refused https://github.com/ben-manes/caffeine/runs/6238249024?check_suite_focus=true |
|
Appended to the list, trying again |
You will need to add couple more I think. These were part of |
|
done, thank you! https://github.com/ben-manes/caffeine/actions/runs/2249141656 |
Looks like this one ran fine and insights were also generated. I have created separate issues to track findings from these runs. |
|
Perfect, thanks! |
|
Hi @ben-manes I am observing the runs and it looks like there were more endpoints called in I am also thinking of adding option of |
|
thanks, fixed! The master build is a little different since it publishes a snapshot dependency, which I had overlooked. That sounds like a good idea to me. I do like your approach of having it very explicitly as part of the configuration, but it is not a reusable list across workflow files. The backend approach would promote setting up this action on all cases and not just the core build (in my case, static analyzers). I also did not put it on the release workflow out of fear that it would break it. The downside is that it requires some login which for an OSS project could be lost if that maintainer disappears. Overall a very easy and nice security enhancement - thank you! I have no complaints. 🙂 |
Thanks for the feedback. Your comment about not being reusable across workflows reminded be of this idea, which is to store allowed endpoints in a separate file in the repo, e.g. BTW, are the |
|
This feels like a problem that there should be an idiomatic solution for. What about composite actions or reusable workflows so that users define their own variant of The source code overwrite is a hack for my project and not idiomatic, so I think you're okay as is. I use a code generator to create classes for every configuration to favor reducing the memory footprint at the cost of a larger dependency (as unloaded classes are free at runtime). For example a cache without any expiration setting doesn't need a per-entry expiration timestamp field. These code generated classes are compiled without debug symbols as simple data holders, which shaves off ~150kb without impacting debuggability. The hack is that the code is compiled once in full and then the subset compiled again without debug, and those classes replaced. A better approach would be to make these independent compilation and combine them later, but that requires teasing them apart and not being so lazy with this ad hoc approach. In that respect your warnings are a good reminder that the build should be improved, as that also busts the build's cache and can cause it to rerun those tasks if invoked later. |
|
work in progress, but this clean up commit should avoid those overwrites. Oddly the |
|
Okay, the build is improved this should be in place. The prior case of a rebuild is because the compiler itself depends on the cache for its AST and the build system incorrectly rewrote that to a project dependency after the jar was built. However looking at a corrected build and despite the tasks reported as |
I am making updates to correlate the file overwrite event with the step/ line that made the change based on timestamp. Once that is done, it will be visible in the insights website and should help with understanding why this is happening. |
Composite and reusable workflows are interesting options to solve this. I think composite workflows might create friction for onboarding and developers will likely prefer an easier option. Reusable workflows could work, I need to learn more about that. Will investigate... |
That will be very useful, thanks! A guess is that it runs the codegen task but observes that the output hasn't changed via hashing, and determines it is uptodate so it does not invalidate downstream tasks. Since the task is so inexpensive it would appear otherwise to have not done any work. That wouldn't be the very obvious behavior, but I could see it making sense as a tooling author as an optimization, differentiated by the |
|
|
|
I got it. Fixing the task caching and now the runner does not report any overwritten files. This is a nice set of hygienic build cleanups, so I think it was a good prompt. |
Great! Thanks for the feedback! |
I have not implemented the UI yet, but based on the logs, the overwrite is in this line.
The timestamp of overwrite is logged in
|
|
It is actually the next line,
I dug into that last night and it is Google AutoValue breaking incremental compilation. While I’m using a fixed version since they don’t have tests it’s likely a regression. |
|
Opened a ticket google/auto#1315 |
|
FYI this is fixed too (and my fault, of course). It was a really nice experience setting this up and fixing the issues highlighted. 😊 |
Thanks for the update! I am curious if the exact step was |
|
It was definitely the |
As per the downloaded log archive, which has better precision, these are the timestamps: As per harden-runner log, the first file overwrite was at 2022-05-02T08:41:42.485Z. So as per this info, |
|
oh yes, Gradle displays it after it completes for TERM=dumb mode of a CI. In a rich terminal it is an updated progress line. |
ok, that explains it. Thanks! |
The only hint is that the completion step reports
Source code overwrittenerrors, which I think is due to CI recompiling to remove debug symbols the artifact.The text was updated successfully, but these errors were encountered: