ci: seed codegen image cache from main instead of per-PR scopes#1549
Conversation
The generated_files.yml workflow only runs on pull_request, so its cache-to: type=gha,mode=max wrote buildkit blobs into per-PR scopes that other PRs cannot read. Every new PR cold-built the codegen image (235-365s in 11 of 17 runs last week), and ~6 GB of duplicate blobs pushed the repo's Actions cache to 9.9/10 GB, evicting the Playwright and pnpm caches. Add codegen_image_cache.yml, which builds the image on pushes to main that touch its inputs (codegen.Dockerfile, packages/connect-python) and exports the cache to main's scope, readable by all PRs. Drop cache-to from the PR-side build. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
PR SummaryLow Risk Overview This adds Reviewed by Cursor Bugbot for commit 60132c4. Bugbot is set up for automated code reviews on this repo. Configure here. |
Package ArtifactsBuilt from 9221d29. Download artifacts from this workflow run. JS SDK ( npm install ./e2b-2.33.1-ci-slow-dependency-installs.0.tgzCLI ( npm install ./e2b-cli-2.13.3-ci-slow-dependency-installs.0.tgzPython SDK ( pip install ./e2b-2.32.0+ci.slow.dependency.installs-py3-none-any.whl |
There was a problem hiding this comment.
LGTM — straightforward CI cache-seeding change.
Extended reasoning...
Overview
This PR only touches two GitHub Actions workflow files: it adds a new codegen_image_cache.yml that rebuilds the codegen Docker image on pushes to main (when its actual inputs change) and exports the buildkit cache with cache-to: type=gha,mode=max, and it removes the cache-to step from the PR-triggered generated_files.yml job (keeping cache-from) so PRs read the shared main-scoped cache instead of writing their own unreadable per-PR blobs.
Security risks
None. permissions: contents: read is correctly scoped (no registry push, just GHA cache read/write via docker/build-push-action), and the new workflow only triggers on push to main or manual workflow_dispatch, so it cannot be triggered by untrusted PR branches with elevated permissions.
Level of scrutiny
Low — this is a CI-only, non-production change with a clearly stated, verifiable rationale (cache scope isolation causing repeated cold builds and cache eviction). The mechanics (paths filter, cache-from/cache-to split) match standard GitHub Actions + buildkit caching patterns and match the PR description's stated intent exactly.
Other factors
The change is small (2 files, mostly additive), self-contained, and reversible (worst case is a cold-build regression, not a correctness or security issue). No changeset is required since no SDK/CLI packages are touched. No outstanding review comments to address.
Why
generated_files.ymlonly runs onpull_request, so itscache-to: type=gha,mode=maxwrote buildkit blobs into per-PR scopes that other PRs cannot read — every new PR cold-built the codegen image (235–365s in 11 of 17 runs over the past week vs ~65s warm), and ~6 GB of duplicate blobs pushed the repo's Actions cache to 9.9 GB of the 10 GB limit, evicting the Playwright and pnpm caches that #1538 relies on.What
Adds
codegen_image_cache.yml, which builds the image on pushes tomaintouching its actual inputs (codegen.Dockerfile,packages/connect-python/**, or the workflow itself) and exports the cache to main's scope, readable by all PRs; it also supportsworkflow_dispatchfor manual re-seeding. The PR-side build ingenerated_files.ymlkeepscache-frombut dropscache-to. Merging this PR triggers the first seed automatically, since the new workflow file matches its own paths filter.🤖 Generated with Claude Code