-
-
Notifications
You must be signed in to change notification settings - Fork 9.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
attestations: batch attestation requests to reduce GH API load #18544
Comments
Another option: check attestations at bottle fetch time instead of at bottle pour time.
|
Still think we should pursue this. Batching is a good idea in general to reduce roundtrips but it's not really a full solution to the rate limit problem as there's so many situations we need to cover: dependencies, multiple named args, dependent upgrades, Brewfiles and scripts that do multiple 60/hour is not really acceptable for us to ship to GA. For third-party taps: when containers aren't used then we do download a tab JSON so it could go there and that shouldn't be an issue. |
This makes sense to me for something to do for now.
Agreed but, until someone does, we should try to improve things accordingly first.
Agreed. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
Leaving some notes for myself, since I'm planning on working on this in the coming weeks:
|
I did also briefly look into stapling attestations to GHCR recently and can look into drafting that maybe this week. |
Verification
brew install wget
. If they do, open an issue at https://github.com/Homebrew/homebrew-core/issues/new/choose instead.Provide a detailed description of the proposed feature
This is a tracking issue for myself.
GitHub ratelimits their attestation APIs. These ratelimits are mostly fine when authenticated, but are severe when unauthenticated. However, even when authenticated, we're currently regularly getting close to them on CI (since the CI performs a lot of attestation verifications while performing bottle builds + test installs).
We can significantly reduce the amount of individual GH API calls we make by batching our attestation lookups. Instead of performing one
gh attestation ...
subcommand per attestation, we can instead pre-compute the list of attestations to look up and fetch them in a bulk fashion by requesting them in a singlegh attestation ...
invocation.gh attestation ...
should then download them in an appropriate batched fashion internally.What is the motivation for the feature?
Three main motivations:
gh
level or at thebrew
level. It also reduces the number ofgh
subprocessesbrew
needs to spawn, which are also slow.gh
transition: downloading the attestations up-front means we can more easily slotsigstore-ruby
in for verification.How will the feature be relevant to at least 90% of Homebrew users?
Reliability and performance, per above.
What alternatives to the feature have been considered?
Two options:
The text was updated successfully, but these errors were encountered: