ci: change s3 cache provider to optimize costs

[lklimek]

Issue being fixed or feature implemented

We use Amazon S3 as a cache backend. With very big cache sizes (just cache layers have multiple GBs of size), it became very expensive. We need to find a way to avoid this cost.

What was done?

1. Created new aws_credentials action that creates AWS credentials file, to be used as secret mount during Docker build
2. Modified docker action inputs - prefixed existing with cache_, added cache_region,cache_endpoint
3. Docker build now uses secret mounts to manage secrets
4. Removed bucket from librocksdb action
5. Added endpoint to s3-layer-cache-settings action
6. Added sccache action that configures sccache (incl. environment variables)
7. Replaces secrets.AWS_REGION with vars.AWS_REGION

How Has This Been Tested?

Run GHA pipelines multiple times and observe the results.

Breaking Changes

None from external user perspective, CI/CD config is not publicly useable.

Checklist:

• [x] I have performed a self-review of my own code
• [x] I have commented my code, particularly in hard-to-understand areas
• [ ] I have added or updated relevant unit/integration/functional/e2e tests
• [ ] I have added "!" to the title and described breaking changes in the corresponding section if my code contains any
• [x] I have made corresponding changes to the documentation if needed

For repository code-owners and collaborators only

• [ ] I have assigned this pull request to a milestone

Summary by CodeRabbit

Summary by CodeRabbit

• New Features

  • Introduced a new GitHub Action for managing AWS credentials, improving security and accessibility during builds.
  • Added a new action for configuring sccache caching, enhancing build performance for Rust projects.
  • Enhanced Docker image build workflows with new caching parameters and improved management of AWS credentials.
  • Updated workflows to utilize new caching mechanisms and environment variables, streamlining build processes.
  • Added optional input parameters for S3 caching configuration in multiple actions.
  • Introduced a new action for logging into AWS ECR, facilitating Docker container management.
  • Enhanced the tests workflows with new input parameters to control test execution.

• Bug Fixes

  • Updated AWS region handling across multiple workflows to ensure consistency and reliability.

• Documentation

  • Improved comments and descriptions in workflow files for better clarity and understanding.

• Chores

  • Removed outdated steps related to AWS credential configuration in various workflows, streamlining the release process.

[coderabbitai[bot]]

Walkthrough

This pull request introduces several changes across multiple GitHub Actions workflows and configurations, primarily focusing on managing AWS credentials and enhancing caching mechanisms. A new action for AWS credentials management is added, along with modifications to existing workflows to utilize new caching parameters. The changes also include the introduction of sccache for caching Rust builds, updates to input parameters, and the removal of deprecated AWS credential configurations in various workflows. Overall, the modifications streamline the configuration and improve the handling of AWS credentials and caching strategies.

Changes

File Path	Change Summary
.github/actions/aws_credentials/action.yaml	New action added for managing AWS credentials with inputs: access_key_id, secret_access_key, and optional profile.
.github/actions/docker/action.yaml	Input parameters modified for caching: bucket → cache_bucket, region → cache_region, new parameters added: cache_endpoint, cache_access_key_id, cache_secret_access_key.
.github/actions/librocksdb/action.yaml	Removed input parameter bucket, preserving other inputs and workflow structure.
.github/actions/rust/action.yaml	Updated output handling for Rust toolchain version, added conditional logic for protoc installation, and retained caching logic.
.github/actions/s3-layer-cache-settings/action.yaml	Changed action name quotes, updated input descriptions to double quotes, and added optional input endpoint.
.github/actions/sccache/action.yaml	New action introduced for sccache configuration with required inputs for S3 caching and multiple steps for installation and configuration.
.github/workflows/release-docker-image.yml	Removed AWS credentials configuration step, introduced new environment variables for caching.
.github/workflows/release.yml	Modified release-npm job to remove AWS credentials configuration and added sccache setup step.
.github/workflows/tests-build-image.yml	Updated AWS region handling, introduced new caching variables, and removed old AWS credentials parameters.
.github/workflows/tests-build-js.yml	Commented out AWS credentials configuration, added sccache setup step, and removed related environment variables.
.github/workflows/tests-codeql.yml	Updated AWS region input to use vars.AWS_REGION instead of secrets.AWS_REGION.
.github/workflows/tests-dashmate.yml	Changed AWS region handling to use vars.AWS_REGION, updated Docker login command, and improved conditional logic for test execution.
.github/workflows/tests-js-package.yml	Updated AWS region handling, added conditional check for skipping tests, and revised comments regarding AWS credentials.
.github/workflows/tests-packges-functional.yml	Updated AWS region handling in multiple places to use vars.AWS_REGION.
.github/workflows/tests-rs-package.yml	Removed AWS credentials configuration, added sccache setup step, and updated environment variable usage.
.github/workflows/tests-test-suite.yml	Updated AWS region handling and corrected indentation for environment variables.
.github/workflows/tests.yml	Added sccache setup step in rs-crates-security job with parameters for S3 configuration.
Dockerfile	Introduced new build arguments for sccache configuration, removed RUSTC_WRAPPER, and improved error handling.
packages/rs-dpp/src/lib.rs	Modified comment style for coding conventions without functional changes.
.github/actions/aws_ecr_login/action.yaml	New action added for logging into AWS ECR, with required inputs for AWS account and credentials.

Possibly related PRs

• #2316: This PR introduces a new GitHub Actions workflow for building and caching librocksdb, which is relevant to the main PR's focus on managing AWS credentials and caching mechanisms.
• #2318: This PR implements a prebuilt version of the librocksdb library within a Docker image, which relates to the main PR's changes in AWS credential management and caching strategies.
• #2329: This PR enhances the caching mechanism in the CI process, which aligns with the main PR's updates to AWS credentials and caching configurations in GitHub Actions.

Suggested reviewers

• QuantumExplorer

Poem

🐰 In the land of code where bunnies play,
We’ve tidied up our workflows today!
With credentials safe and caches bright,
Our builds will run with all their might!
So hop along, let’s celebrate,
For smoother paths we now create! 🌟

[!WARNING]

Rate limit exceeded

@lklimek has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 10 minutes and 35 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the `@coderabbitai review` command as a PR comment. Alternatively, push new commits to this PR. We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our [FAQ](https://docs.coderabbit.ai/faq) for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 5fbe5810cc9578714d690eb7e59ee38d8523a3e7 and b9102560a054c8a677c0c440f955524c898d721c.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

- [X](https://twitter.com/intent/tweet?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A&url=https%3A//coderabbit.ai) - [Mastodon](https://mastodon.social/share?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A%20https%3A%2F%2Fcoderabbit.ai) - [Reddit](https://www.reddit.com/submit?title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&text=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code.%20Check%20it%20out%3A%20https%3A//coderabbit.ai) - [LinkedIn](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fcoderabbit.ai&mini=true&title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&summary=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code)

🪧 Tips

### Chat There are 3 ways to chat with [CodeRabbit](https://coderabbit.ai): - Review comments: Directly reply to a review comment made by CodeRabbit. Example: - `I pushed a fix in commit , please review it.` - `Generate unit testing code for this file.` - `Open a follow-up GitHub issue for this discussion.` - Files and specific lines of code (under the "Files changed" tab): Tag `@coderabbitai` in a new review comment at the desired location with your query. Examples: - `@coderabbitai generate unit testing code for this file.` - `@coderabbitai modularize this function.` - PR comments: Tag `@coderabbitai` in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples: - `@coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.` - `@coderabbitai read src/utils.ts and generate unit testing code.` - `@coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.` - `@coderabbitai help me debug CodeRabbit configuration file.` Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. ### CodeRabbit Commands (Invoked using PR comments) - `@coderabbitai pause` to pause the reviews on a PR. - `@coderabbitai resume` to resume the paused reviews. - `@coderabbitai review` to trigger an incremental review. This is useful when automatic reviews are disabled for the repository. - `@coderabbitai full review` to do a full review from scratch and review all the files again. - `@coderabbitai summary` to regenerate the summary of the PR. - `@coderabbitai resolve` resolve all the CodeRabbit review comments. - `@coderabbitai configuration` to show the current CodeRabbit configuration for the repository. - `@coderabbitai help` to get help. ### Other keywords and placeholders - Add `@coderabbitai ignore` anywhere in the PR description to prevent this PR from being reviewed. - Add `@coderabbitai summary` to generate the high-level summary at a specific location in the PR description. - Add `@coderabbitai` anywhere in the PR title to generate the title automatically. ### CodeRabbit Configuration File (`.coderabbit.yaml`) - You can programmatically configure CodeRabbit by adding a `.coderabbit.yaml` file to the root of your repository. - Please see the [configuration documentation](https://docs.coderabbit.ai/guides/configure-coderabbit) for more information. - If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: `# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json` ### Documentation and Community - Visit our [Documentation](https://docs.coderabbit.ai) for detailed information on how to use CodeRabbit. - Join our [Discord Community](http://discord.gg/coderabbit) to get help, request features, and share feedback. - Follow us on [X/Twitter](https://twitter.com/coderabbitai) for updates and announcements.

[lklimek]

@coderabbitai review all

[coderabbitai[bot]]

[!TIP] For best results, initiate chat on the files or code changes.

@lklimek, I've reviewed the changes in Pull Request #2344. Here are some observations:

1. Consistent Quotation Marks in YAML Files: In .github/actions/docker/action.yaml and .github/actions/s3-layer-cache-settings/action.yaml, there's a mix of single and double quotation marks. For consistency and to prevent parsing issues, it's recommended to use double quotes throughout YAML files.

2. AWS Credentials Handling in Dockerfile:

   • You've introduced --mount=type=secret,id=AWS in the Dockerfile for mounting AWS credentials. Ensure that during the Docker build process, the AWS credentials are correctly provided and mounted to avoid any authentication issues.
   • In the RUN commands that use --mount=type=secret,id=AWS, consider adding checks to verify that the secrets are available before proceeding. This can prevent potential build failures due to missing credentials.

3. Removal of AWS Credentials Configuration in Workflows:

   • In workflows like release-docker-image.yml and release.yml, the step configuring AWS credentials using aws-actions/configure-aws-credentials@v4 has been removed. Please confirm that this change won't impact any AWS operations that rely on those credentials.
   • In tests-build-js.yml, the AWS credentials configuration step has been commented out. If AWS services are still being accessed in these workflows, ensure that credentials are provided through other means or consider restoring the configuration step.

4. Addition of environment: test in Workflows:

   • You've added environment: test to several jobs across different workflows (e.g., tests-build-image.yml, tests-rs-package.yml). Verify that this environment is correctly defined in your GitHub repository settings and that it doesn't interfere with production environments or permissions.

5. Consistency in Variable Naming and Usage:

   • There are instances where variables are referenced differently, such as ${{ vars.AWS_REGION }} and ${{ vars.CACHE_REGION }}. Ensure that the correct variables are used consistently across the workflows to prevent any misconfigurations.
   • In some places, secrets are referenced with different variable names (e.g., ${{ secrets.AWS_REGION }} vs. ${{ vars.AWS_REGION }}). Double-check that the variables are correctly defined and accessible in the workflow context.

6. Security Considerations:

   • In tests-rs-package.yml, there's a debug step where AWS environment variables and credentials are printed:

     set | grep AWS
     cat $HOME/.aws/credentials

     Be cautious with such commands, as they can expose sensitive information in the workflow logs. It's advisable to remove or secure these steps to protect secret data.

   • When handling secrets in workflows and Dockerfiles, ensure that they are not exposed in logs or error messages. Use GitHub's secrets and secure file mounts appropriately.

7. SCCACHE Configuration:

   • The introduction of the sccache action and related configurations is a good step towards optimizing builds. Ensure that all necessary environment variables and secrets are correctly set so that sccache can connect to the S3 backend without issues.
   • In the Dockerfile, the logic for determining if sccache is enabled has been updated. Verify that this logic works as intended in all build environments.

8. Cleanup of Redundant Steps:

   • The removal of redundant AWS credentials configuration steps in multiple workflows simplifies the CI configuration. Just confirm that any AWS-dependent steps still have the necessary credentials if they need to access AWS resources.

9. Documentation Updates:

   • Consider updating any documentation or comments to reflect the changes made, especially if they impact how developers should work with the CI/CD pipelines or Docker builds.
   • In the Dockerfile, comments related to sccache and how to provide secrets have been updated. Ensure these comments are clear and help future maintainers understand the build process.

If you have any questions or need further assistance, feel free to let me know.

🔗 Analysis chain

🏁 Scripts executed

The following scripts were executed for the analysis: Script: ``` #!/bin/bash # Fetch the diff of Pull Request #2344 gh pr diff 2344 ``` Length of output: 45253