modern-java-practices
modern-java-practices copied to clipboard
binkley
Speed up builds with caching
See existing card #431. These two cards should be merged?
Tasks
- [x] Add
OWASP_NVD_API_KEYsecret to the GitHub builds to speed up DepedencyCheck CVE updates. - [ ] Review the GH action logs for each containerized build: look for places that the build re-downloads the same thing each build. Update this card based on your findings.
- [ ] Use GH action caches for DependencyCheck CVE data (esp. improves Gradle build times).
- [ ] Update the YAML files for GH workflows to implement more caching as is sensible <-- This is the bulk of the work
- [ ] Discuss caching in relevant pages.
- [ ] Confirm build finishes in less that 30s - local
- [ ] Confirm build finishes in less that 30s - CI
References:
- https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows
- https://github.com/actions/cache
- https://github.com/marketplace/actions/dependency-check
- https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data
Include research on how to share the cache across projects.
Relates to #460, #431, #487.
Examples
When building for Gradle, I see that CI is pulling down the Gradle 8.8 distro. This is something we can cache:
+build-with-gradle | --> RUN ./gradlew clean build
+build-with-gradle | Downloading https://services.gradle.org/distributions/gradle-8.8-all.zip
+build-with-gradle | .
+build-with-gradle | ..
This only happens for the containerized build, not the "direct" build. Why?
Build now uses NVD API key. Performance issues for Earthly are from lack of a cache of NVD downloads. "Direct" builds are speedy.