I seem to remember seeing documentation about caching the Infracost artefacts (modules and baseline) a while ago when using the GitHub Action. Is this no longer recommended?

@stale-needle-387 We’ve made big improvements to the CLI performance so I doubt it’s needed anymore. If you can use the free GH App then that’ll only run changed folders based on the GitHub App events, so for very large Terragrunt repos that works best. Is there something preventing you from using the GH App? I’ve seen users with 1K+ terragrunt projects in mono repos use the GH app.

The primary concern with the GitHub App is we would need to provide that app read access to all of our repositories, as we have Terraform modules defined all over the place. This will likely be an issue for the security teams since there's a larger blast radius if (and I know it's unlikely) your GitHub app tokens get compromised. The CLI keeps everything in our environment, which makes it a much easier sell to use new tools.

Noted, yep the security review can take a bit of time but we usually pass them. Anyhow - if the main branch of your Terragrunt repo is running fairly quickly locally then it should be fine on GH Actions too.

Our GitHub Actions runs take 20+ minutes for each test (so 40 minutes for the baseline and PR checks), hence the question about cache 🙂

Even with the cache, 20mins seems very slow, we aim for ~1min runs on CI (we monitor the run times with GH and GitLab App runs to ensure things are fast).

We do run a

plan

but don't output the plan file. It's something we could look to do, although we inherited a fairly janky pipeline running on ECS (that we have plans to replace in the next quarter)

hmmm, honestly I’d go for the GH App approach as we can then write config files for you, and the perf issues would go away as we cache the main branch runs, and only run changed projects from the config file and GH event data for PRs.

Yeah, I think that would be best, so long as we get security on-board. I just tried running Infracost locally on the main branch, and it crashed my system. Needed to set max parallelism 🤦‍♂️

I’m confident we can pass security, we’ve done it many many times 🙂 We’re also SOC2 Type 2 certified, which is usually the first thing they look for

Can the GitHub App can read private modules in another GitHub org (belonging to the same GitHub Enterprise)? Or allowing us to use our own SSH key would do the same.

yep, you can enter your SSH or HTTPS credentials and it’ll use that to fetch the module depending on if it’s

git@github.com:my-org

or

<http://github.com/my-org|github.com/my-org>

Awesome! I'll speak with the security team tomorrow! My next question was for info about the SOC2 cert, but I see that link has information

yep, if you send an email to hello@infracost.io, my co-founder will respond, he’s on the chat here too (@early-queen-42970)

I notice it's very late for you, so I think that's all my questions for now. Thank you! You may receive an email from someone tomorrow asking about information on security

Happy to help - I know how frustrating slow CI/CD builds can be 😉

Hey Ali Sorry to bring up such an old thread, but we are now in the same place again where we are wanting to implement the GitHub Actions cache. I have found some old examples and docs in your repo, but is there anything that has changed that has stopped this from working before we spend too long looking at it? Or was it removed simply because the GitHub app tends to be more suitable for most users, but should still work?

Hey Robert, I think a few users got to success with GH Actions cache but the GH App was just much easier to setup so we removed the old cache example doc as it wasn’t being maintained anymore. This is the old doc - try it and it might work fine for your usecase.