mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 18:17:09 +00:00
Code Issues Releases Wiki Activity

tests: allow non-default branches to push spread cache

Browse Source 
As a security measure, GitLab splits cache into two broad pools: protected and
non-protected. Any job running in a protected branch has access to the
protected cache pool. All other jobs run in the non-protected cache pool.

This effectively forces us to push to cache in non-protected branches, like all
the merge requests, in order to actually use the cache.

Ideally we'd disable this protection and only push from the default branch and
pull otherwise, as changes to dependency set is rather rare.

[1] https://docs.gitlab.com/ee/ci/caching/#use-the-same-cache-for-all-branches

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
This commit is contained in:
Zygmunt Krynicki 2025-01-30 14:40:30 +01:00
parent f82c8471f5
commit a0adb01631
1 changed files with 16 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
.gitlab-ci.yml
View File

@ -256,10 +256,19 @@ coverity:
- spread-artifacts - spread-artifacts
when: always when: always
rules: rules:
- if: $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH # Due to default cache protection logic in GitLab, pipelines running in
variables: # protected branches (like master in the AppArmor project) do not get
# Dependencies change rarely so not having to worry about pushes from other branches removes complexity. # access, even read access, to protected cache. As such we need to allow
POLICY: pull # non-protected branches to push the cache sometimes, or we'd pay the cost
# of never using cache on unprotected branches.
#
# As such disable the first rule below and only consider CI_NODE_TOTAL and
# CI_NODE_INDEX in cache pull/pull-push preference.
#
# - if: $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
# variables:
# # Dependencies change rarely so not having to worry about pushes from other branches removes complexity.
# POLICY: pull
- if: $CI_NODE_TOTAL == "1" - if: $CI_NODE_TOTAL == "1"
variables: variables:
# For sequential jobs we can always push to the cache. # For sequential jobs we can always push to the cache.
@ -268,6 +277,9 @@ coverity:
variables: variables:
# For parallel jobs, only the first job pushes to the cache. # For parallel jobs, only the first job pushes to the cache.
POLICY: pull-push POLICY: pull-push
- if: $CI_NODE_TOTAL != "1" && $CI_NODE_INDEX != "1"
variables:
POLICY: pull
.spread-x86_64: .spread-x86_64:
extends: .spread extends: .spread