feat: add pip cache

[gabrielpiassetta]

Add pip cache to Setup python step

[jenstroeger]

Just to be sure: as per docs the

cache: 'pip'

seems to cache pip’s internal cache between workflows (and therefore between workflow VMs) of the same run — but that’s not stated explicitly. Is that correct?

Furthermore, note that SLSA Build Level 3 requires to

prevent runs from influencing one another, even within the same project.

The term “run” isn’t clearly defined, but we need to keep in mind that while the public PyPI artifactory is trusted, caches in between are not because modifications/tempering is invisible to us (see also cache poisoning). (And that includes an AWS Artifactory or the like!)

Also, looking at the runtimes of the Check change set workflow I get values (random sampling) ranging from 3m 55s, 4m 25s to 5m 31s, 6m 17s and up to 7m 7s, 8m 8s — with this change clocking in at 7m 45s:

So, do we have a measurable impact resulting from this?

[jenstroeger]

@behnazh what do you think of this comment: pre-commit/pre-commit#2847 (comment)

[behnazh]

@behnazh what do you think of this comment: pre-commit/pre-commit#2847 (comment)

This solution seems to have similar issues for build isolation. We have designed _build.yaml reusable workflow in a way to be fully isolated, e.g., by limiting the inputs to the workflow and not using any third-party GitHub Actions (except for the trusted Actions from GitHub itself). Enabling caching breaks the isolation security property.