actions-permissions icon indicating copy to clipboard operation
actions-permissions copied to clipboard
verified publisher icon GitHubSecurityLab

Adding permissions monitor substantially increases time `actions/checkout@v4` takes to run

Open landonxjames opened this issue 9 months ago • 3 comments

I recently added the permissions monitor to most of the CI jobs in the smithy-lang/smithy-rs repo in https://github.com/smithy-lang/smithy-rs/pull/4084. This led to a substantial increase in checkout times. For the (admittedly huge) awslabs/aws-sdk-rust repo this led to both an increase in time and frequent failures. For the two repos we checkout the time diffs were:

  • smithy-lang/smithy-rs: ~6s -> ~2 minutes
  • awslabs/aws-sdk-rust: ~2 minutes -> ~1 hour

Checking out the aws-sdk-rust repo would often fail (example run) with the following error:

  /usr/bin/git -c protocol.version=2 fetch --prune --no-recurse-submodules origin +refs/heads/*:refs/remotes/origin/* +refs/tags/*:refs/tags/*
  Error: error: RPC failed; HTTP 502 curl 22 The requested URL returned error: 502
  Error: fatal: expected 'packfile'
  Error: The process '/usr/bin/git' failed with exit code 128

Removing the permissions monitor in https://github.com/smithy-lang/smithy-rs/pull/4088 took the checkout times back to normal.

Potentially I could have gotten around this by moving the monitor action after the checkout actions, but the documentation for the monitor specifically says:

Include the Monitor action in every job of your workflow. The actions should be the first step in the job, even before the checkout action.

landonxjames avatar Apr 08 '25 21:04 landonxjames

Thank you for you report, I wasn't aware of that. I know that installing the monitor takes time and this is a potential overhead for every run. But a significant overhead once the proxy is running is not expected. This needs to be investigated.

Regarding the documentation, you can install it after checkout. It will miss then the needed contents: read for private repositories, but for public repositories the permission is not needed.

JarLob avatar Apr 11 '25 09:04 JarLob

I just released https://github.com/GitHubSecurityLab/actions-permissions/releases/tag/v1.0.2-beta6 with a new mitmproxy version. Could you please try it?

JarLob avatar Apr 11 '25 09:04 JarLob

That seems to have fixed it, thank you! I bumped to the beta version in https://github.com/smithy-lang/smithy-rs/commit/b8e48cccbca0f6fac514aff5c1b38959f72f3976 and a test run of the action against that branch shows us back to the previous checkout times https://github.com/smithy-lang/smithy-rs/actions/runs/14408783111/job/40411702012

I will note that it took the permissions monitor longer to start up on the beta version. ~1 minute vs ~30 seconds in previous runs. But that is a small price to pay for getting back the checkout times.

landonxjames avatar Apr 11 '25 17:04 landonxjames