Use 1ES OutputParentDirectory to reduce scanning tasks#7023
Conversation
|
Making sure you see #7023 (comment) |
How is the comment gone now? I did see it when the PR was open, but now that the PR is merged it looks like something deleted it. Anyway, I'm now going for option 2, explain why the changes don't appy to other branches: In short, this PR's change is build performance, not compliance, so we don't have a requirement to make the same change across all branches. An effort was made to make the same changes anyway, but it was turning into a big effort, so to avoid getting into a sunken cost fallacy situation, I'm giving up on the backporting. See below for details. I started backporting to other branches, and I created these PRs;
The 7.0.x PR works, and I'll merge it when I get approvals on it. However, before I started backporting to 6.10.x and earlier, I checked 6.14.x's build, and saw it was failing because the generate-sbom.yml task does not write the sbom to the same location as 7.0.x and later, causing the output publishing to fail. 6.12 and 6.11 have the same issue, the sbom is not in the same location as 7.0 and later. A little root cause analysis, so we can all learn from this, is as follows:
So, wrapping this all up, if the intention of asking PR authors to backport CI changes to all branches is to minimize differences between branches was to make future cherry-picks smooth, unfortunately it hasn't worked. The localization changes were huge, and the effort to make the same changes in older branches is too risky, and would take more effort than needing to manually resolve other CI changes which backporting from 7.0, so it's not worth backporting the loc changes. Another option is to backport everything other than the loc changes (all the sbom related changes from the links in the list, and copying just the sbom related files from the arcade/maestro onboard PR). In theory it could mean one CI diff would work on all branches for versions 7.0 and above, and another diff could work on all branches 6.14 and below. Unfortunately, we're not in that situation. All the 6.x branches have the same sbom situation, and still 6.14 changes had conflicts when copying to 6.12. Once resolved, the 6.12 diff had conflicts with 6.11. A lot effort alternative is to add a copy task to copy the sbom to the parent output directory, similar to how the nupkgs and VS15 directories are. But that would still be a difference between the 7.0 and 6.14 branches, which could lead to more cherry-pick conflicts when backporting future CI changes. I believe we may be spending more time manually resolving conflicts when backporting minor CI improvements like this one, than we we gain the next time we have a compliance change that forces us to modify all supported branches. Therefore, while I'll merge the 7.0.x branch backport, I'm not going to do it for the older branches. |
The only idea I have is that someone deleted it. There's no bot configuration to delete it for any reason, so perhaps it was intentionally or accidentally deleted? |
Bug
Fixes: engineering
Description
The docs on 1ES PT say that jobs with multiple outputs can get better pipeline performance by making sure all output artifacts are in the same parent directory, then using
outputParentDirectory. This makes the scanning tasks happen once on the parent directory, and get skipped on each individual output.Looking at the last 7 days of PrivateDev builds (admidetly not many, given it's around New Year), the "nonRTM" job is taking 27-30 minutes. My branch has two successful builds, taking 20 to 22 minutes. So, it looks like doing this might save around 7 minutes per build.
It also signifiantly reduces the number of tasks in the job log, making it much easier to find the logs for the publish artifact tasks.
PR Checklist
and a linked NuGet/Home issueAdded testsN/ALink to an issue or pull request to update docs if this PR changes settings, environment variables, new feature, etc.N/A