Be wary of rate limits

[orta]

withspectrum/spectrum#2632

Looks like when a PR gets big enough, danger and peril can hit the rate limits. Will need to slow down diff/comment pagination probably

[mxstbr]

I think another improvement would be the GitHub utils caching results from the API. We run the no-console and flow plugins, and both of them use github.utils.fileContents method to get the contents of all modified and created files—which duplicates the work at the moment.

[mxstbr]

I guess maybe we're already hitting the rate limits on that PR by even fetching them once?

[orta]

Hrm, yeah, good point, I didn't consider that it might be coming from your plugins

[orta]

Yeah, it's triggering ~100 x 2 simultaneous API requests to GH for file contents, so I'm not too surprised that it's hitting the rate limits

[orta]

Maybe I should provide a rate limited fileContents API for that sort of thing in the DSL

[mxstbr]

It'd be neat if fileContents just did that out of the box?

[mxstbr]

We might be able to just wrap it in p-limit with a limit at something like 25 so it's not doing 200 calls at the same time. I'm not sure how GitHub rate limits work, but that might be a quick fix and we can always turn the knob further down to 10 or even only 1 at a time. (although that'd be much slower 😅)

[orta]

As it return a promise, so that can be whatever under the hood, so having that be a queued makes sense.

[orta]

Yeah, agreed, I'd recommend doing that on your plugins right now, and I'll integrate it into danger properly

[mxstbr]

I think it's probably actually easier to just do it in Danger, it should just be a matter of wrapping the fetch call in this.api in GitHubAPI.ts with limit(() => fetch()), right?

[mxstbr]

👉 #582

[orta]

This is still happening on really big PRs with the flow plugin, IMO, the github.utils needs a function specifically for handling a very large amount of file reads and running code against them

[iclanzan]

The reason it is still happening is because concurrency is not the issue, but the number of requests in a time interval. We should be reading the x-ratelimit-remaining header from the Github responses to decide how many requests it is safe to make and x-ratelimit-reset to figure out how long we need to wait until we can make the next request after the limit has been hit.

Here are the Github docs on rate limiting: https://developer.github.com/v3/#rate-limiting

[paulmelnikow]

The problem here is not the regular rate limits but GitHub’s abuse rate limits. Apart from the GitHub search API, the interval for x-ratelimit-reset is once per hour, and it certainly won’t make sense to wait that long in the space of a PR. The abuse limits don’t provide headers, so probably it is a matter of turning down the concurrency further.

Honestly I’d suggest a concurrency limit of 1. That makes it more likely to work reliably, especially given the possibility of concurrent PRs. Or make it env configurable so developers can tune it themselves.

[fentas]

We had to remove danger from our pipeline because used like 1000 requests per run (we have very big pr's right now).
Our limit of 10k request was used up within 5 - 10 minutes. Also had couple of abuse messages in the past.

[gpressutto5]

Danger makes at least 12 requests to GitHub API by default. This action is running an empty dangerfile: https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true

Action output (Check the entries prefixed by "Sending:")

Run DEBUG="*GitHub*" yarn danger ci
[6](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:6)
yarn run v1.22.18
[7](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:7)
$ /home/runner/work/danger-api-limit-example/danger-api-limit-example/node_modules/.bin/danger ci
[8](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:8)
2022-04-1[9](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:9)T02:40:30.020Z danger:GitHub::Checks Not using the checks API for GitHub
9
2022-04-19T02:40:30.021Z danger:GitHubAPI Sending:  https://api.github.com/repos/gpressutto5/danger-api-limit-example/pulls/1 {
[10](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:10)
  'Content-Type': 'application/json',
[11](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:11)
  Accept: 'application/vnd.github.v3.diff',
[12](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:12)
  Authorization: 'token ***'
[13](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:13)
}
[14](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:14)
2022-04-19T02:40:30.285Z danger:GitHubAPI getPullRequestCommits:: Sending pull request commit request for first page
[15](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:15)
2022-04-19T02:40:30.285Z danger:GitHubAPI getPullRequestCommits:: Request url generated "repos/gpressutto5/danger-api-limit-example/pulls/1/commits"
[16](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:16)
2022-04-19T02:40:30.286Z danger:GitHubAPI Sending:  https://api.github.com/repos/gpressutto5/danger-api-limit-example/pulls/1/commits {
[17](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:17)
  'Content-Type': 'application/json',
[18](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:18)
  Authorization: 'token ***'
[19](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:19)
}
[20](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:20)
2022-04-19T02:40:30.512Z danger:GitHubAPI getNextPageFromLinkHeader:: Given response does not contain link header for pagination
[21](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:21)
2022-04-19T02:40:30.513Z danger:GitHubAPI Sending:  https://api.github.com/repos/gpressutto5/danger-api-limit-example/pulls/1 {
[22](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:22)
  'Content-Type': 'application/json',
[23](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:23)
  Authorization: 'token ***'
[24](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:24)
}
[25](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:25)
2022-04-19T02:40:30.809Z danger:GitHubAPI Sending:  https://api.github.com/repos/gpressutto5/danger-api-limit-example/issues/1 {
[26](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:26)
  'Content-Type': 'application/json',
[27](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:27)
  Authorization: 'token ***'
[28](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:28)
}
[29](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:29)
2022-04-19T02:40:31.028Z danger:GitHubAPI getPullRequestCommits:: Sending pull request commit request for first page
[30](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:30)
2022-04-19T02:40:[31](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:31).029Z danger:GitHubAPI getPullRequestCommits:: Request url generated "repos/gpressutto5/danger-api-limit-example/pulls/1/commits"
31
2022-04-19T02:40:31.029Z danger:GitHubAPI Sending:  https://api.github.com/repos/gpressutto5/danger-api-limit-example/pulls/1/commits {
[32](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:32)
  'Content-Type': 'application/json',
[33](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:33)
  Authorization: 'token ***'
[34](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:34)
}
[35](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:35)
2022-04-19T02:40:31.234Z danger:GitHubAPI getNextPageFromLinkHeader:: Given response does not contain link header for pagination
[36](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:36)
2022-04-19T02:40:31.235Z danger:GitHubAPI Sending:  https://api.github.com/repos/gpressutto5/danger-api-limit-example/pulls/1/reviews {
[37](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:37)
  'Content-Type': 'application/json',
[38](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:38)
  Accept: 'application/vnd.github.v3+json',
[39](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:39)
  Authorization: 'token ***'
[40](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:40)
}
[41](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:41)
2022-04-19T02:40:31.458Z danger:GitHubAPI Sending:  https://api.github.com/repos/gpressutto5/danger-api-limit-example/pulls/1/requested_reviewers {
[42](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:42)
  'Content-Type': 'application/json',
[43](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:43)
  Accept: 'application/vnd.github.v3+json',
[44](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:44)
  Authorization: 'token ***'
[45](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:45)
}
[46](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:46)
2022-04-19T02:40:31.854Z danger:GitHub::Checks Not using the checks API for GitHub
[47](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:47)

[48](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:48)
2022-04-19T02:40:31.864Z danger:GitHubGit Got no GH API, had to make it
[49](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:49)

[50](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:50)
2022-04-19T02:40:31.864Z danger:GitHubGit Setting up git DSL with:  {
[51](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:51)
  repo: 'gpressutto5/danger-api-limit-example',
[52](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:52)
  baseSHA: 'c64630e4bb76608d4dad9cfe2fd8a18918c84f61',
[53](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:53)
  headSHA: 'bc53aacbc683284e0db0c4c8be57bfcb79b83b2c',
[54](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:54)
  getFileContents: [Function (anonymous)],
[55](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:55)
  getFullDiff: [Function (anonymous)]
[56](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:56)
}
[57](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:57)

[58](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:58)

[59](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:59)
2022-04-19T02:40:32.863Z danger:GitHubGit Got no GH API, had to make it
[60](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:60)
2022-04-19T02:40:32.863Z danger:GitHubGit Setting up git DSL with:  {
[61](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:61)
  repo: 'gpressutto5/danger-api-limit-example',
[62](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:62)
  baseSHA: 'c64[63](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:63)0e4bb76608d4dad9cfe2fd8a18918c84f61',
63
  headSHA: 'bc53aacbc683284e0db0c4c8be57bfcb79b83b2c',
[64](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:64)
  getFileContents: [Function (anonymous)],
[65](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:65)
  getFullDiff: [Function (anonymous)]
[66](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:66)
}
[67](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:67)
Found no issues or messages from Danger. Removing any existing messages on GitHub.
[68](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:68)
2022-04-19T02:40:32.865Z danger:GitHubAPI Sending:  https://api.github.com/user {
[69](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:69)
  'Content-Type': 'application/json',
[70](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:70)
  Authorization: 'token ***'
[71](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:71)
}
[72](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:72)
Request failed [403]: https://api.github.com/user
[73](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:73)
Response: {
[74](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:74)
  "message": "Resource not accessible by integration",
[75](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:75)
  "documentation_url": "https://docs.github.com/rest/reference/users#get-the-authenticated-user"
[76](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:76)
}
[77](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:77)
2022-04-19T02:40:33.042Z danger:GitHubAPI getPullRequestCommits:: Sending pull request commit request for first page
[78](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:78)
2022-04-19T02:40:33.042Z danger:GitHubAPI getPullRequestCommits:: Request url generated "repos/gpressutto5/danger-api-limit-example/issues/1/comments"
[79](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:79)
2022-04-19T02:40:33.042Z danger:GitHubAPI Sending:  https://api.github.com/repos/gpressutto5/danger-api-limit-example/issues/1/comments {
[80](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:80)
  'Content-Type': 'application/json',
[81](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:81)
  Authorization: 'token ***'
[82](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:82)
}
[83](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:83)
2022-04-19T02:40:33.231Z danger:GitHubAPI getNextPageFromLinkHeader:: Given response does not contain link header for pagination
[84](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:84)
2022-04-19T02:40:33.231Z danger:GitHubAPI User ID: 41898282
[85](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:85)
2022-04-19T02:40:33.231Z danger:GitHubAPI Looking at 0 comments for DangerID: danger-id-Danger;
[86](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:86)
2022-04-19T02:40:33.232Z danger:GitHubAPI Sending:  https://api.github.com/user {
[87](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:87)
  'Content-Type': 'application/json',
[88](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:88)
  Authorization: 'token ***'
[89](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:89)
}
[90](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:90)
Request failed [403]: https://api.github.com/user
[91](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:91)
Response: {
[92](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:92)
  "message": "Resource not accessible by integration",
[93](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:93)
  "documentation_url": "https://docs.github.com/rest/reference/users#get-the-authenticated-user"
[94](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:94)
}
[95](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:95)
2022-04-19T02:40:33.567Z danger:GitHubAPI getPullRequestCommits:: Sending pull request commit request for first page
[96](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:96)
2022-04-19T02:40:33.568Z danger:GitHubAPI getPullRequestCommits:: Request url generated "repos/gpressutto5/danger-api-limit-example/pulls/1/comments"
[97](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:97)
2022-04-19T02:40:33.568Z danger:GitHubAPI Sending:  https://api.github.com/repos/gpressutto5/danger-api-limit-example/pulls/1/comments {
[98](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:98)
  'Content-Type': 'application/json',
[99](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:99)
  Authorization: 'token ***'
[100](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:100)
}
[101](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:101)
2022-04-19T02:40:33.759Z danger:GitHubAPI getNextPageFromLinkHeader:: Given response does not contain link header for pagination
[102](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:102)
2022-04-19T02:40:33.760Z danger:GitHubAPI Sending:  https://api.github.com/repos/gpressutto5/danger-api-limit-example/statuses/bc53aacbc683284e0db0c4c8be57bfcb79b83b2c {
[103](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:103)
  'Content-Type': 'application/json',
[104](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:104)
  Authorization: 'token ***'
[105](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:105)
}
[106](https://github.com/gpressutto5/danger-api-limit-example/runs/6071421115?check_suite_focus=true#step:5:106)
Done in 4.46s.

And, as we know:

When using GITHUB_TOKEN, the rate limit is 1,000 requests per hour per repository.

It is a problem on big monorepo projects because we usually have other steps using the same token, and 1,000 requests are too few when you have to use 12 just to get unused data from the API. Can we lazy load this info so it only makes the request if we need them?

[fbartho]

@gpressutto5 it’s clear that there are a few duplicate requests notably /pulls/1 /user so we could probably save about 5 api calls. Maybe those could be cached. Interested contributors might be able to do that.

Alternatively it’s possible we could rewrite things to use GraphQL and fold a bunch of requests into a single network request, but that feels like it could be a big change due to error handling.

[sanex3339]

We have the same problem with monorepo.
We need to validate commit messages + PR title.
I checked, dangerjs performs 12 requests in total. For example /reviews and /requested_reviewers requests. But we don't need such requests in case when we only want to check PR title + commit messages. Is it possible to completely avoid these requests?

[orta]

We grab enough info from github/bitbucket/gitlab/etc to make a full DSL which you can use synchronously in dangerfiles. I think it's still the right route to go - if you'd like to take a look at reducing the amount of requests mentioned above, give it a shot but I don't think we'd accept dangerfile breaking changes for this 👍🏻

[sanex3339]

@orta i understand. Right now seems #991 is the best way to solve this problem. Am i right?

[orta]

Perhaps if you're doing a lot of manual file reads in your Dangerfile it could be, that's what the OP was doing

[sanex3339]

Our dangerfile.js is very simple

const { schedule } = require('danger')

const { conventionalCommits } = require('./commits')
const { conventionalPRTitle } = require('./pr-title')

schedule(conventionalCommits)
schedule(conventionalPRTitle)

And each of these files just uses danger.github.pr.title and danger.git.commits to pass values to third-party validation packages. If validation failed, we use fail() method from dangerjs