Extend docu regarding rate limit issues. #510
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -471,15 +471,46 @@ One quick way to grant access is to change the user and group of `/Users/runner/ | |
|
|
||
| ## Using `setup-python` on GHES | ||
|
|
||
| ### Avoiding rate limit issues | ||
|
|
||
| `setup-python` comes pre-installed on the appliance with GHES if Actions is enabled. When dynamically downloading Python distributions, `setup-python` downloads distributions from [`actions/python-versions`](https://github.com/actions/python-versions) on github.com (outside of the appliance). These calls to `actions/python-versions` are by default made via unauthenticated requests, which are limited to [60 requests per hour per IP](https://docs.github.com/en/rest/overview/resources-in-the-rest-api#rate-limiting). If more requests are made within the time frame, then you will start to see rate-limit errors during downloading that looks like: `##[error]API rate limit exceeded for YOUR_IP. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.)`. | ||
|
|
||
| To get a higher rate limit, you can [generate a personal access token (PAT) on github.com](https://github.com/settings/tokens/new) and pass it as the `token` input for the action. It is important to understand that this needs to be a token from github.com and _not_ from your Github Enterprise account. If you or your colleagues do not yet have a github.com account, you might need to create one. | ||
kasuteru marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| Here are the steps you need to follow to avoid the rate limit: | ||
|
|
||
| 1. Create a PAT on any github.com account by using [this link](https://github.com/settings/tokens/new) after logging into github.com (not your Enterprise instance). This PAT does _not_ need any rights, so make sure all the boxes are unchecked. | ||
| 2. Store this PAT in the repository / organization where you run your action, e.g. as `GH_GITHUB_COM_TOKEN`. You can do this by navigating to your repository -> Settings -> Secrets -> Actions -> "New repository secret". | ||
kasuteru marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| 3. Since this functionality is not yet merged into any release version, for now, use the action with the hash below. Once this is merged into main, use the "normal" action like `@v4`. Also, change _python-version_ as needed. | ||
|
|
||
| ```yml | ||
| - name: Set up Python | ||
| uses: actions/setup-python@98c991d13f3149457a7c1ac4083885d0d9db98e1 | ||
| with: | ||
| python-version: 3.8 | ||
| token: ${{ secrets.GH_GITHUB_COM_TOKEN }} | ||
| ``` | ||
|
There was a problem hiding this comment. Could you please change these lines because the major tag was updated. There was a problem hiding this comment. Is 4.3 correct, or was it available in earlier versions as well? There was a problem hiding this comment. Yes, it's correct. It became available at 4.3: https://github.com/actions/setup-python/releases/tag/v4.3.0 |
||
|
|
||
| Requests should now be authenticated. To actually check this is however difficult, since caching as well as the hourly rate reset make it hard to know. Here is how you can check success: | ||
|
There was a problem hiding this comment. I would just replace this section with a reference to the rate limit API. People can use this to confirm they're getting a higher rate limit: https://docs.github.com/en/rest/rate-limit There was a problem hiding this comment. Problem for us was that you have to check rate limit on the runner itself, and in our company, only admins can access the runners. So developers cannot check it. That's why I put the other way of enabling debugging, I imagine it is the some for other companies... I will shorten the section a bit but would leave the section about debugging it without runner access in for now. Let me know what you think. There was a problem hiding this comment. When I was testing the token changes, I hit the API from the runner like this: name: CI
on: [workflow_dispatch]
jobs:
sample_build:
runs-on: [ self-hosted ]
steps:
- name: "rate limit"
run: |
curl \
-H "Accept: application/vnd.github.v3+json" \
-H "Authorization: token $TOKEN" \
https://api.github.com/rate_limit
env:
TOKEN: ${{ secrets.GH_DOTCOM_TOKEN }}
- name: Clear the tool cache
run: rm -rf /Users/runner/hostedtoolcache/Python/
- name: Set up Python
uses: brcrista/setup-python@patch-1
with:
token: ${{ secrets.GH_DOTCOM_TOKEN }}
python-version: 3.9.12
- name: "rate limit"
run: |
curl \
-H "Accept: application/vnd.github.v3+json" \
-H "Authorization: token $TOKEN" \
https://api.github.com/rate_limit
env:
TOKEN: ${{ secrets.GH_DOTCOM_TOKEN }}There was a problem hiding this comment. Didn't even think of that - of course, runner can simply be accessed inside an action... Should I then reformulate it to use your way? Or take it out entirely? It is not strictly necessary I guess but I suspect there is others like me who aren't that experienced with github actions and might have a hard time figuring out a way to test it on their own... Could also just hotlink to your post. There was a problem hiding this comment. I'm not opposed to documenting it and think that this is the most straightforward way to test the rate limit. Maybe we can just say something like: There was a problem hiding this comment. Done, and also adapted to official rollout of this feature - I think this is now ready to merge? |
||
|
|
||
| 1. Enable debugging for your github actions by following [these instructions](https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging) | ||
| 2. If you do not have access to your github runner's console, start a job with a `python-version` that you are sure wasn't used yet to avoid it simply being read from cache. | ||
| 3. In your github action logs, check for the following line: | ||
|
|
||
| ``` | ||
| Version 3.8 was not found in the local cache | ||
| ##[debug]Getting manifest from actions/python-versions@main | ||
| ##[debug]set auth <--- Make sure this line exists. | ||
| ##[debug]check 3.11.0-rc.2 satisfies 3.8 | ||
| ``` | ||
|
|
||
| 4. If you have access to your runner's console, you can manually trigger the rate limit by running the following line 60 times (or less, until you get an error response): | ||
|
|
||
| ``` | ||
| curl -I https://api.github.com/users/octocat/orgs | ||
| ``` | ||
|
|
||
| 5. Now, trigger your github action run. It will fail if auth was not successful, but run through if it was. | ||
|
|
||
| ### No access to github.com | ||
| If the runner is not able to access github.com, any Python versions requested during a workflow run must come from the runner's tool cache. See "[Setting up the tool cache on self-hosted runners without internet access](https://docs.github.com/en/enterprise-server@3.2/admin/github-actions/managing-access-to-actions-from-githubcom/setting-up-the-tool-cache-on-self-hosted-runners-without-internet-access)" for more information. | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This code snippet is probably long enough to go in a block quote