From 2d0663651716ae7e1ad0b970d8a788f5bfe78026 Mon Sep 17 00:00:00 2001 From: joshbouncesecurity Date: Sun, 19 Apr 2026 18:13:34 +0300 Subject: [PATCH 1/4] ci: cache pip, npm, and JS parser node_modules to speed up Windows runs Windows CI was 3-5x slower than Linux (Go job: 3m23s vs 1m13s) largely because Defender scanning + slow NTFS metadata ops on cold toolchain extraction dominate wall time, and the workflow was redownloading/reinstalling all deps on every run. Three changes: - actions/setup-python: add `cache: pip` keyed on pyproject.toml. - actions/setup-node: add `cache: npm` keyed on package-lock.json. - actions/cache: cache parsers/javascript/node_modules directly keyed on the lockfile hash, and skip `npm install` entirely on cache hit. Also switch to `npm ci` for the miss path (stricter, deterministic). setup-go already caches the build + module cache via cache-dependency-path, so no change there. Expected: cache-hit runs should drop the Windows Go job from ~3m20s to ~1m30s and save ~30-40s on each Python job. First run on a new lockfile hash repopulates the cache. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/test.yaml | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 6f4202f..c25003f 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -24,11 +24,15 @@ jobs: uses: actions/setup-python@v5 with: python-version: "3.11" + cache: "pip" + cache-dependency-path: libs/openant-core/pyproject.toml - name: Set up Node.js uses: actions/setup-node@v5 with: node-version: "22" + cache: "npm" + cache-dependency-path: libs/openant-core/parsers/javascript/package-lock.json - name: Install Python dependencies working-directory: libs/openant-core @@ -38,9 +42,17 @@ jobs: working-directory: libs/openant-core run: ruff check . + - name: Cache JS parser node_modules + id: cache-node-modules + uses: actions/cache@v4 + with: + path: libs/openant-core/parsers/javascript/node_modules + key: ${{ runner.os }}-jsparser-nodemodules-${{ hashFiles('libs/openant-core/parsers/javascript/package-lock.json') }} + - name: Install JS parser dependencies + if: steps.cache-node-modules.outputs.cache-hit != 'true' working-directory: libs/openant-core/parsers/javascript - run: npm install + run: npm ci - name: Run Python and parser tests working-directory: libs/openant-core @@ -67,11 +79,15 @@ jobs: uses: actions/setup-python@v5 with: python-version: "3.11" + cache: "pip" + cache-dependency-path: libs/openant-core/pyproject.toml - name: Set up Node.js uses: actions/setup-node@v5 with: node-version: "22" + cache: "npm" + cache-dependency-path: libs/openant-core/parsers/javascript/package-lock.json - name: Vet working-directory: apps/openant-cli @@ -101,9 +117,17 @@ jobs: working-directory: libs/openant-core run: pip install -e ".[dev]" + - name: Cache JS parser node_modules + id: cache-node-modules + uses: actions/cache@v4 + with: + path: libs/openant-core/parsers/javascript/node_modules + key: ${{ runner.os }}-jsparser-nodemodules-${{ hashFiles('libs/openant-core/parsers/javascript/package-lock.json') }} + - name: Install JS parser dependencies + if: steps.cache-node-modules.outputs.cache-hit != 'true' working-directory: libs/openant-core/parsers/javascript - run: npm install + run: npm ci - name: Run Go CLI integration tests working-directory: libs/openant-core From 7d8f0dd8631931d2457c8a1161af113585a6c154 Mon Sep 17 00:00:00 2001 From: joshbouncesecurity Date: Sun, 19 Apr 2026 18:17:55 +0300 Subject: [PATCH 2/4] chore: retrigger CI to measure warm-cache times Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/test.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index c25003f..5480689 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -1,4 +1,5 @@ name: tests +# Retrigger for warm-cache timing measurement. on: push: branches: [master] From 77bc2b6a7872e9a3af9f82e01e0ea2969ffc6096 Mon Sep 17 00:00:00 2001 From: joshbouncesecurity Date: Sun, 19 Apr 2026 18:24:14 +0300 Subject: [PATCH 3/4] ci: exclude workspace and Go/npm caches from Windows Defender Add-MpPreference -ExclusionPath on each Windows job to skip real-time scanning over the checkout dir, Go build cache (~AppData\Local\go-build), Go module cache (~\go\pkg\mod), and npm's cache dirs. Real-time scanning of compiler-generated intermediates and extracted modules was the largest remaining slowdown on Windows runners after dep caching. Also drops the retrigger-comment scaffolding from the previous commit. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/test.yaml | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 5480689..614450c 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -1,5 +1,4 @@ name: tests -# Retrigger for warm-cache timing measurement. on: push: branches: [master] @@ -21,6 +20,21 @@ jobs: steps: - uses: actions/checkout@v5 + - name: Exclude workspace + toolchain caches from Windows Defender + if: runner.os == 'Windows' + shell: pwsh + run: | + $paths = @( + $env:GITHUB_WORKSPACE, + "$env:LOCALAPPDATA\go-build", + "$env:USERPROFILE\go\pkg\mod", + "$env:LOCALAPPDATA\npm-cache", + "$env:APPDATA\npm-cache" + ) + foreach ($p in $paths) { + Add-MpPreference -ExclusionPath $p -ErrorAction SilentlyContinue + } + - name: Set up Python uses: actions/setup-python@v5 with: @@ -70,6 +84,21 @@ jobs: steps: - uses: actions/checkout@v5 + - name: Exclude workspace + toolchain caches from Windows Defender + if: runner.os == 'Windows' + shell: pwsh + run: | + $paths = @( + $env:GITHUB_WORKSPACE, + "$env:LOCALAPPDATA\go-build", + "$env:USERPROFILE\go\pkg\mod", + "$env:LOCALAPPDATA\npm-cache", + "$env:APPDATA\npm-cache" + ) + foreach ($p in $paths) { + Add-MpPreference -ExclusionPath $p -ErrorAction SilentlyContinue + } + - name: Set up Go uses: actions/setup-go@v5 with: From b996d138a386d0082f18c2bceac134a0d35ad268 Mon Sep 17 00:00:00 2001 From: joshbouncesecurity Date: Sun, 19 Apr 2026 18:30:09 +0300 Subject: [PATCH 4/4] =?UTF-8?q?ci:=20revert=20Defender=20exclusion=20?= =?UTF-8?q?=E2=80=94=20no=20measurable=20benefit?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Defender exclusion step didn't produce a reliable improvement: Go Windows went 2m55s → 3m48s with it added (vs 2m55s without), which is either noise or evidence that Add-MpPreference is silently no-op'd on GitHub-hosted runners by tamper protection. Dropping it keeps the workflow smaller and leaves the caching wins intact. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/test.yaml | 30 ------------------------------ 1 file changed, 30 deletions(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 614450c..c25003f 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -20,21 +20,6 @@ jobs: steps: - uses: actions/checkout@v5 - - name: Exclude workspace + toolchain caches from Windows Defender - if: runner.os == 'Windows' - shell: pwsh - run: | - $paths = @( - $env:GITHUB_WORKSPACE, - "$env:LOCALAPPDATA\go-build", - "$env:USERPROFILE\go\pkg\mod", - "$env:LOCALAPPDATA\npm-cache", - "$env:APPDATA\npm-cache" - ) - foreach ($p in $paths) { - Add-MpPreference -ExclusionPath $p -ErrorAction SilentlyContinue - } - - name: Set up Python uses: actions/setup-python@v5 with: @@ -84,21 +69,6 @@ jobs: steps: - uses: actions/checkout@v5 - - name: Exclude workspace + toolchain caches from Windows Defender - if: runner.os == 'Windows' - shell: pwsh - run: | - $paths = @( - $env:GITHUB_WORKSPACE, - "$env:LOCALAPPDATA\go-build", - "$env:USERPROFILE\go\pkg\mod", - "$env:LOCALAPPDATA\npm-cache", - "$env:APPDATA\npm-cache" - ) - foreach ($p in $paths) { - Add-MpPreference -ExclusionPath $p -ErrorAction SilentlyContinue - } - - name: Set up Go uses: actions/setup-go@v5 with: