Super fast npm install on Github Actions

As always, performance tweaking takes experimentation— but we got your back. We did the hard work, and have the numbers to prove it. With our 4-step approach, you can reduce a 16-second task to take only 2 seconds. 2 seconds! If the installation kicked off when you started reading this sentence, it’s done right about… now. As a bonus, you’re doing the world a favour: that’s a 87.5% reduction of energy use. 🌳 ❤️

GitHub Actions make it easy to use external official actions like setup-node in a single line: - uses: actions/setup-node@v2. Followed by running npm install like the setup-node readme suggests, takes care of Node.js and installing all needed dependencies.

The biggest win in speed and efficiency is achieved by installing dependencies from the package lock file: package-lock.json. Npm generates this file by default, and by using the command npm ci, only the lock file is used during install. Since it contains a resolved dependency tree, npm can skip a whole lot of steps.

Secondly, caching dependencies saves download time otherwise needed for each package. All cached dependencies are fetched in one go from GitHub, using a cache action:

By using this cache npm copies dependencies from this cache instead of downloading them. If package-lock.json changes, the then outdated GitHub cache is still used as the base for a new GitHub cache, under a new key, because of the restore-keys option.

The final small win is ignoring installation scripts with the --ignore-scripts flag. This could break certain dependencies that use installation scripts.^[1] Instead of crossing fingers and giving it a try you can list native dependencies that might need these scripts with the native-modules CLI.

Putting these three together in an example workflow, gives:

Combining npm ci with caching of ~/.npm is recommended by GitHub and npm, however an interesting alternative is caching the node_modules directory. This is not suggested because it contains potential footguns:

First off, combining a node_modules directory with npm ci is slow since the latter will first remove node_modules before installing dependencies. Secondly, when running multiple Node.js versions in your CI and/or when changing the Node version that runs on your CI, old native modules might break.

So given that no installation scripts are used, you can completely skip the installation step! To prevent restoring node_modules when the cache changed, the cache action is given no restore-keys. In other words: the cache is only used if there is an exact key match:

Step by step measuring the installation time, including restoring the cache, on a project with a thousand (indirect) dependencies gives the following:

Changing the cache was done by modifying package-lock.json, using the alternative method with an exact key shows the same timing as expected with no cache.

The first approach shows a better approach for a variety of cases, a fit-all solution if you will. The alternative is definitely a lot faster if the workflow is often ran without package lock changes. Keep in mind that GitHub does remove caches that have not been accessed within the last week. So choose wisely, depending on the project, the stage of development and the regularity of workflow runs. Happy Github Actioning!

Update 2021-09-06: The setup-node action now includes caching which I personally do not like, it goes against doing one thing and doing it well, though one could argue it is hiding an implementation detail. This is not enabled by default so all of the above still works like described. If enabled it uses the caching action internally on ~/.npm/code.

[1] Installation scripts are only necessary for native packages that do not pre-bundle compiled code using the N-API. These scripts are often abused to log information about a package. It is also a convenient place to spread malware.