Sandboxing is the Key to Caching without False Positives

RWX is the only CI/CD platform that automatically caches everything. Cache keys are determined automatically, and tasks are sandboxed so that they can only access the files specified in the filter.

On other CI/CD platforms, engineers have to manually configure cache keys, and executions are not sandboxed. Adding cache configuration is tedious and error prone. And since tasks can access files outside of the specified cache key, cache hits could be false positives. At best this can result in builds breaking for other engineers, and at worst it can result in bugs making it out to production.

What is Sandboxing?

In general, sandboxing is the computer science term used to describe limiting access to certain things. For example, it's commonly used for security to ensure that a program can only access the files and network resources that it's supposed to.

It's also the technique that we use for executing tasks with reliable caching on RWX.

How Caching Works on GitHub Actions and Other CI Platforms

On GitHub Actions, you have to manually orchestrate caching. To configure the cache key, it's recommended to use the hashFiles function. For example, if you wanted to cache the results of setting up a database, you might do:

hashFiles('db/**')

However, all of the other files from the project are still present on disk. If a file outside of the db directory affects the execution, you'll get false positives on the cache (meaning you'll get a cache hit when you shouldn't have).

This creates two problems:

The task may break on the next engineer who modifies db/ due to incompatible changes previously made which were never tested due to the false positive on the cache hit
The actual code could be broken and a bug could make it to production, because the false positive on the cache resulted in not properly testing