Skip to content

Adding permissions monitor substantially increases time actions/checkout@v4 takes to run #40

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
landonxjames opened this issue Apr 8, 2025 · 3 comments
Open

Adding permissions monitor substantially increases time actions/checkout@v4 takes to run #40

landonxjames opened this issue Apr 8, 2025 · 3 comments

Comments

@landonxjames
Copy link

landonxjames commented Apr 8, 2025
edited
Loading

I recently added the permissions monitor to most of the CI jobs in the smithy-lang/smithy-rs repo in smithy-lang/smithy-rs#4084. This led to a substantial increase in checkout times. For the (admittedly huge) awslabs/aws-sdk-rust repo this led to both an increase in time and frequent failures. For the two repos we checkout the time diffs were:

  • smithy-lang/smithy-rs: ~6s -> ~2 minutes
  • awslabs/aws-sdk-rust: ~2 minutes -> ~1 hour

Checking out the aws-sdk-rust repo would often fail (example run) with the following error:

  /usr/bin/git -c protocol.version=2 fetch --prune --no-recurse-submodules origin +refs/heads/*:refs/remotes/origin/* +refs/tags/*:refs/tags/*
  Error: error: RPC failed; HTTP 502 curl 22 The requested URL returned error: 502
  Error: fatal: expected 'packfile'
  Error: The process '/usr/bin/git' failed with exit code 128

Removing the permissions monitor in smithy-lang/smithy-rs#4088 took the checkout times back to normal.

Potentially I could have gotten around this by moving the monitor action after the checkout actions, but the documentation for the monitor specifically says:

Include the Monitor action in every job of your workflow. The actions should be the first step in the job, even before the checkout action.
@landonxjames landonxjames mentioned this issue Apr 8, 2025
Closed
@JarLob
Copy link
Contributor

JarLob commented Apr 11, 2025

Thank you for you report, I wasn't aware of that. I know that installing the monitor takes time and this is a potential overhead for every run. But a significant overhead once the proxy is running is not expected. This needs to be investigated.

Regarding the documentation, you can install it after checkout. It will miss then the needed contents: read for private repositories, but for public repositories the permission is not needed.

@JarLob
Copy link
Contributor

JarLob commented Apr 11, 2025

I just released https://github.com/GitHubSecurityLab/actions-permissions/releases/tag/v1.0.2-beta6 with a new mitmproxy version. Could you please try it?

@landonxjames
Copy link
Author

That seems to have fixed it, thank you! I bumped to the beta version in smithy-lang/smithy-rs@b8e48cc and a test run of the action against that branch shows us back to the previous checkout times https://github.com/smithy-lang/smithy-rs/actions/runs/14408783111/job/40411702012

I will note that it took the permissions monitor longer to start up on the beta version. ~1 minute vs ~30 seconds in previous runs. But that is a small price to pay for getting back the checkout times.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@landonxjames @JarLob