Tool Caches

Tool caches are used to run a task with the file contents of a previous execution of that task.

Dependency installation tasks like bundle install will cache miss if any dependency changes. By configuring a tool cache, a cache miss will be run with the contents of a previous execution of that task. Tool caches are the best way to reduce the runtime of tasks amenable to incremental updates.

Tool caches do not change Mint's caching semantics. Tasks are always checked for a cache hit before executing.

Configuring a tool cache

All tool caches belong to a vault. A run is configured with the vault to read tool caches from via the tool-cache key. For example, the following tool-cache definition on a run configures tool caches to be read from the release vault.

tool-cache:
  vault: release

If the vault is unlocked for the run, tool caches will be read from and written to the vault. If the vault is locked, tool caches will only be read from the vault.

A tool cache is enabled for a task via the tool-cache key, which configures the name of the tool cache used for the task. A value of true uses the task key as the tool cache name, but any string literal can be used.

For example, the following run definition configures tool caches to be read from the release vault, and the bundle-install task to use the tool cache bundle-install.

tool-cache:
  vault: release

tasks:
  - key: bundle-install
    run: bundle install
    tool-cache: true
    env:
      BUNDLE_FROZEN: true

Recommendations

Use a frozen lockfile

Package managers such as bundle may touch a lockfile when performing an install. This can cause a tool cache to persist a version of a lockfile that overwrites the lockfile from an earlier task. It's recommended to configure package managers to install dependencies without writing to the lockfile.

Protect write access

It's recommended to configure tool caches to use a vault unlocked only by your repository's protected branch(es). For example, suppose the vault release is unlocked only by the release branch. The run-level tool cache configuration

tool-cache:
  vault: release

ensures that Mint runs on any other branch can use tool caches populated by the release branch, but not write to any tool cache used by the release branch.

This hardening technique prevents feature branches from possibly writing to tool caches with malicious file contents.

Limitations

At this time, Mint does not support configuring multiple vaults as sources of tool caches.

At this time, tool caches cannot be evicted.

At this time, tool cache names are always interpreted as string literals. Mint template expressions in a tool cache name are not evaluated.

Tool caches have a limit of 7 incremental layers. If a tool cache contains 8 or more layers, only the bottom layer of the tool cache will be used in the execution of a task. For example, if a task bundle-install configured with a tool cache is run with a different set of Ruby gems 9 times, the eighth execution will start with the filesystem contents of all previous executions, but the ninth execution will start only with the filesystem contents of the first execution of bundle-install.

Please let us know if you'd like to request changes to these limitations.