From 1b7139ced79656bc3d3ec2355d9df024c920de39 Mon Sep 17 00:00:00 2001 From: Connor Tsui Date: Fri, 19 Jun 2026 17:14:34 -0400 Subject: [PATCH] ci: install only the uv binary for v4 ingest (drop the workspace sync) Supersedes the earlier reorder. The v4 ingest runs `uv run --no-project --with psycopg[binary] --with boto3 --with xxhash`, which needs only the uv binary and an ephemeral env -- never the workspace. But the "Install uv" step used spiraldb/actions/setup-uv, which runs a full `uv sync --all-extras --dev`: it rebuilds vortex-python via maturin -> sccache -> S3, and on the s3-cache bench runners that fails `s3:GetObject AccessDenied` under the just-assumed ingest role (rds-db:connect only). Production proved the sync is dead weight -- the "Install uv" step went red while the ingest still succeeded, because the binary installs before the sync and the ingest doesn't need it. Switch the three v4 "Install uv" steps to astral-sh/setup-uv (the same v7.6.0 binary spiraldb's action vendors) with no sync. This removes the wasteful workspace build, eliminates the sccache->S3 dependency entirely (so step order no longer matters -- the reorder is reverted), and is much faster. The benchmark job's own non-v4 setup-uv is left as-is (it legitimately needs the workspace). Signed-off-by: Connor Tsui --- .github/workflows/bench.yml | 20 +++++++++----------- .github/workflows/commit-metadata.yml | 20 +++++++++----------- .github/workflows/sql-benchmarks.yml | 20 +++++++++----------- 3 files changed, 27 insertions(+), 33 deletions(-) diff --git a/.github/workflows/bench.yml b/.github/workflows/bench.yml index 695c4d80e23..10644af1e48 100644 --- a/.github/workflows/bench.yml +++ b/.github/workflows/bench.yml @@ -136,17 +136,6 @@ jobs: # `continue-on-error` so an OIDC / uv / connect hiccup never breaks the v3 # pipeline. post-ingest.py mints the RDS IAM token internally (boto3) from # the assumed GitHubBenchmarkIngestRole; sslmode=verify-full validates the cert. - # - # ORDER MATTERS: "Install uv" runs BEFORE "Configure AWS credentials". - # configure-aws-credentials persists the assumed ingest-role (rds-db:connect - # only) as the job's ambient AWS creds; the uv setup compiles via sccache - # (S3-backed), so running it after the role switch fails with S3 AccessDenied. - # Installing uv first keeps sccache on the original S3-capable creds; the role - # is assumed immediately before the ingest, which needs only rds-db:connect. - - name: Install uv for v4 ingest - if: vars.GH_BENCH_INGEST_ROLE_ARN != '' - continue-on-error: true - uses: spiraldb/actions/.github/actions/setup-uv@a746510eafaa926484c354541cfc49b2ec06cc63 # 0.18.6 - name: Configure AWS credentials for v4 ingest (OIDC) if: vars.GH_BENCH_INGEST_ROLE_ARN != '' continue-on-error: true @@ -154,6 +143,15 @@ jobs: with: role-to-assume: ${{ vars.GH_BENCH_INGEST_ROLE_ARN }} aws-region: ${{ vars.RDS_BENCH_REGION }} + # Install ONLY the uv binary (no `uv sync`): the ingest runs + # `uv run --no-project --with`, which needs just the binary, not a workspace + # build. spiraldb's setup-uv ran a full `uv sync` that built vortex-python via + # sccache->S3 and failed under the ingest-role creds (which lack S3) -- pure + # waste, since the ingest never used the synced workspace. + - name: Install uv for v4 ingest + if: vars.GH_BENCH_INGEST_ROLE_ARN != '' + continue-on-error: true + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 - name: Ingest results to v4 Postgres (best-effort) if: vars.GH_BENCH_INGEST_ROLE_ARN != '' continue-on-error: true diff --git a/.github/workflows/commit-metadata.yml b/.github/workflows/commit-metadata.yml index 1cd2601736c..8f2816c24fe 100644 --- a/.github/workflows/commit-metadata.yml +++ b/.github/workflows/commit-metadata.yml @@ -41,17 +41,6 @@ jobs: # a v4 failure never fails the job (promoted to required at cutover, PR-5.1). # Gated on the ingest-role ARN var (the assume-role input that MUST exist) so # it no-ops until v4 infra is wired. - # - # ORDER MATTERS: "Install uv" runs BEFORE "Configure AWS credentials". - # configure-aws-credentials persists the assumed ingest-role (rds-db:connect - # only) as the job's ambient AWS creds; the uv setup compiles via sccache - # (S3-backed), so running it after the role switch fails with S3 AccessDenied. - # Installing uv first keeps sccache on the original S3-capable creds; the role - # is assumed immediately before the ingest, which needs only rds-db:connect. - - name: Install uv for v4 ingest - if: vars.GH_BENCH_INGEST_ROLE_ARN != '' - continue-on-error: true - uses: spiraldb/actions/.github/actions/setup-uv@a746510eafaa926484c354541cfc49b2ec06cc63 # 0.18.6 - name: Configure AWS credentials for v4 ingest (OIDC) if: vars.GH_BENCH_INGEST_ROLE_ARN != '' continue-on-error: true @@ -59,6 +48,15 @@ jobs: with: role-to-assume: ${{ vars.GH_BENCH_INGEST_ROLE_ARN }} aws-region: ${{ vars.RDS_BENCH_REGION }} + # Install ONLY the uv binary (no `uv sync`): the ingest runs + # `uv run --no-project --with`, which needs just the binary, not a workspace + # build. spiraldb's setup-uv ran a full `uv sync` that built vortex-python via + # sccache->S3 and failed under the ingest-role creds (which lack S3) -- pure + # waste, since the ingest never used the synced workspace. + - name: Install uv for v4 ingest + if: vars.GH_BENCH_INGEST_ROLE_ARN != '' + continue-on-error: true + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 - name: Ingest commit metadata to v4 Postgres (best-effort) if: vars.GH_BENCH_INGEST_ROLE_ARN != '' continue-on-error: true diff --git a/.github/workflows/sql-benchmarks.yml b/.github/workflows/sql-benchmarks.yml index 092b3548510..add44ab5cb6 100644 --- a/.github/workflows/sql-benchmarks.yml +++ b/.github/workflows/sql-benchmarks.yml @@ -689,17 +689,6 @@ jobs: # input that MUST exist for OIDC to succeed; it no-ops until v4 infra is wired), and # every step is continue-on-error. post-ingest.py mints the RDS IAM token (boto3) from # the assumed GitHubBenchmarkIngestRole; sslmode=verify-full validates the cert. - # - # ORDER MATTERS: "Install uv" runs BEFORE "Configure AWS credentials". - # configure-aws-credentials persists the assumed ingest-role (rds-db:connect - # only) as the job's ambient AWS creds; the uv setup compiles via sccache - # (S3-backed), so running it after the role switch fails with S3 AccessDenied. - # Installing uv first keeps sccache on the original S3-capable creds; the role - # is assumed immediately before the ingest, which needs only rds-db:connect. - - name: Install uv for v4 ingest - if: inputs.mode == 'develop' && vars.GH_BENCH_INGEST_ROLE_ARN != '' - continue-on-error: true - uses: spiraldb/actions/.github/actions/setup-uv@a746510eafaa926484c354541cfc49b2ec06cc63 # 0.18.6 - name: Configure AWS credentials for v4 ingest (OIDC) if: inputs.mode == 'develop' && vars.GH_BENCH_INGEST_ROLE_ARN != '' continue-on-error: true @@ -707,6 +696,15 @@ jobs: with: role-to-assume: ${{ vars.GH_BENCH_INGEST_ROLE_ARN }} aws-region: ${{ vars.RDS_BENCH_REGION }} + # Install ONLY the uv binary (no `uv sync`): the ingest runs + # `uv run --no-project --with`, which needs just the binary, not a workspace + # build. spiraldb's setup-uv ran a full `uv sync` that built vortex-python via + # sccache->S3 and failed under the ingest-role creds (which lack S3) -- pure + # waste, since the ingest never used the synced workspace. + - name: Install uv for v4 ingest + if: inputs.mode == 'develop' && vars.GH_BENCH_INGEST_ROLE_ARN != '' + continue-on-error: true + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 - name: Ingest results to v4 Postgres (best-effort) if: inputs.mode == 'develop' && vars.GH_BENCH_INGEST_ROLE_ARN != '' continue-on-error: true