codeql-action icon indicating copy to clipboard operation
codeql-action copied to clipboard
verified publisher icon github

Action takes 5-6 seconds to download

Open jsoref opened this issue 1 year ago • 1 comments

It takes 5-6 seconds for workflows to download this repository as an action. I believe it's because the node modules directory is 300+mb. It includes at least two copies of typescript.

@aibaars suggests:

I think they could remove node-modules and compile the typescript code to a few minified scripts

jsoref avatar Oct 13 '24 17:10 jsoref

Hi @jsoref,

Thanks for your suggestion. I will forward it to the team responsible for the Action and provide an update when I receive more information.

rvermeulen avatar Oct 16 '24 00:10 rvermeulen

Now that https://github.com/github/codeql-action/pull/3054 is merged, download times should be significantly improved. Thanks for the effort you've put into this already. We'll close this issue and please let us know if download times continue to be a problem.

aeisenberg avatar Aug 29 '25 16:08 aeisenberg

Confirmed. 14s->1s

before (14s)

Fri, 29 Aug 2025 17:35:24 GMT
Download action repository 'github/codeql-action@48dd624a81acd5d5f2e94c2b1e54102c6b5bd642' (SHA:48dd624a81acd5d5f2e94c2b1e54102c6b5bd642)
Fri, 29 Aug 2025 17:35:38 GMT
Complete job name: time

after (1s)

Fri, 29 Aug 2025 17:35:49 GMT
Download action repository 'github/codeql-action@02ab253bd299d261d00cdf8a9bca38fea2697d50' (SHA:02ab253bd299d261d00cdf8a9bca38fea2697d50)
Fri, 29 Aug 2025 17:35:50 GMT
Complete job name: time

jsoref avatar Aug 29 '25 17:08 jsoref

Nice!

aeisenberg avatar Aug 29 '25 17:08 aeisenberg

Fwiw, it looks like you now have 45mb of content (42mb is the bundled actions, and 3mb is everything else) which is a huge improvement over what it was before.

Personally, I'd kinda want repositories or tags that had only a single action since that's the difference between 2-5M and 45M -- and I'm pretty sure it'd be doable if you were willing to create things where you basically deleted everything except the top level readmes, the relevant js file and the relevant action, committed, and tagged that as a single tag (either ${sha}-${action} or ${action}-${sha}).

But that's just a bit of cream and I can understand not wanting to do it...

jsoref avatar Aug 31 '25 01:08 jsoref

I can see how that would be useful for upload-sarif users. It would be less useful for codeql code scanning users since they are the vast majority of codeql action users. I suspect they would see much less of an improvement if we split things up as you suggest.

aeisenberg avatar Sep 02 '25 15:09 aeisenberg