Sandboxing is the Key to Caching without False Positives

CI/CD
Jul 23, 2025
Dan Manges
Sandboxing is the Key to Caching without False Positives

RWX is the only CI/CD platform that automatically caches everything. Cache keys are determined automatically, and tasks are sandboxed so that they can only access the files specified in the filter.

On other CI/CD platforms, engineers have to manually configure cache keys, and executions are not sandboxed. Adding cache configuration is tedious and error prone. And since tasks can access files outside of the specified cache key, cache hits could be false positives. At best this can result in builds breaking for other engineers, and at worst it can result in bugs making it out to production.

What is Sandboxing?

In general, sandboxing is the computer science term used to describe limiting access to certain things. For example, it's commonly used for security to ensure that a program can only access the files and network resources that it's supposed to.

It's also the technique that we use for executing tasks with reliable caching on RWX.

How Caching Works on GitHub Actions and Other CI Platforms

On GitHub Actions, you have to manually orchestrate caching. To configure the cache key, it's recommended to use the hashFiles function. For example, if you wanted to cache the results of setting up a database, you might do:

hashFiles('db/**')

However, all of the other files from the project are still present on disk. If a file outside of the db directory affects the execution, you'll get false positives on the cache (meaning you'll get a cache hit when you shouldn't have).

This creates two problems:

How Sandboxing Works on RWX

When running tasks on RWX, you can specify a filter.

The filter does two things:

The combination of this means that the automatic, intelligent caching on RWX works perfectly. It never produces a false positive.

Demo

Never miss an update

Get the latest releases and news about RWX and our ecosystem with our newsletter.

Share this post

Enjoyed this post? Pleas share it on your favorite social network!

Related posts

Read more on updates and advice from the RWX engineering team

See all posts
Using an MCP Server to Fix Tests that Failed on CI
CI/CD

Using an MCP Server to Fix Tests that Failed on CI

We shipped an MCP Server via the RWX CLI. Use it to have AI fix tests that failed on CI, powered by RWX tracking test failures as a semantic output.

Aug 8, 2025
Read now
tmpfs for Super Fast Writes
CI/CD

tmpfs for Super Fast Writes

To accelerate performance in high iops scenarios like an npm install, we built support for running tasks using tmpfs.

Aug 6, 2025
Read now
RWX July 2025 Recap: ARM runners, VS Code Extension, and more
CI/CD

RWX July 2025 Recap: ARM runners, VS Code Extension, and more

In July we released ARM runners, a VS Code Extension, and an option to start runs manually. Stay tuned for progress on a new way to build container images.

Aug 4, 2025
Read now