doc/ci/caching/_index.md
{{< details >}}
{{< /details >}}
A cache is one or more files a job downloads and saves. Subsequent jobs that use the same cache don't have to download the files again, so they execute more quickly.
To learn how to define the cache in your .gitlab-ci.yml file,
see the cache reference.
For advanced cache key strategies, you can use:
cache:key:files: Generate keys linked to the content of specific files.cache:key:files_commits: Generate keys linked to the latest commit of specific files.For more use cases and examples, see CI/CD caching examples.
Use cache for dependencies, like packages you download from the internet. Cache is stored where GitLab Runner is installed and uploaded to S3 if distributed cache is enabled.
Use artifacts to pass intermediate build results between stages. Artifacts are generated by a job, stored in GitLab, and can be downloaded.
Both artifacts and caches define their paths relative to the project directory, and can't link to files outside it.
cache keyword. Otherwise it is disabled.To ensure maximum availability of the cache, do one or more of the following:
key that fits your workflow. For example,
you can configure a different cache for each branch.For runners to work with caches efficiently, you must do one of the following:
You can have a maximum of four caches, per job:
test-job:
stage: build
cache:
- key:
files:
- Gemfile.lock
paths:
- vendor/ruby
- key:
files:
- yarn.lock
paths:
- .yarn-cache/
script:
- bundle config set --local path 'vendor/ruby'
- bundle install
- yarn install --cache-folder .yarn-cache
- echo Run tests...
If multiple caches are combined with a fallback cache key, the global fallback cache is fetched every time a cache is not found.
{{< history >}}
{{< /history >}}
Each cache entry supports up to five fallback keys with the fallback_keys keyword.
When a job does not find a cache key, the job attempts to retrieve a fallback cache instead.
Fallback keys are searched in order until a cache is found. If no cache is found,
the job runs without using a cache. For example:
test-job:
stage: build
cache:
- key: cache-$CI_COMMIT_REF_SLUG
fallback_keys:
- cache-$CI_DEFAULT_BRANCH
- cache-default
paths:
- vendor/ruby
script:
- bundle config set --local path 'vendor/ruby'
- bundle install
- echo Run tests...
In this example:
cache-$CI_COMMIT_REF_SLUG cache.cache-$CI_COMMIT_REF_SLUG is not found, the job looks for cache-$CI_DEFAULT_BRANCH
as a fallback option.cache-$CI_DEFAULT_BRANCH is also not found, the job looks for cache-default
as a second fallback option.cache-$CI_COMMIT_REF_SLUG when the job completes.Fallback keys follow the same processing logic as cache:key:
-protected or -non_protected.You can use the $CI_COMMIT_REF_SLUG predefined variable
to specify your cache:key. For example, if your
$CI_COMMIT_REF_SLUG is test, you can set a job to download cache that's tagged with test.
If a cache with this tag is not found, you can use CACHE_FALLBACK_KEY to
specify a cache to use when none exists.
In the following example, if the $CI_COMMIT_REF_SLUG is not found, the job uses the key defined
by the CACHE_FALLBACK_KEY variable:
variables:
CACHE_FALLBACK_KEY: fallback-key
job1:
script:
- echo
cache:
key: "$CI_COMMIT_REF_SLUG"
paths:
- binaries/
The order of caches extraction is:
cache:keyfallback_keysCACHE_FALLBACK_KEYThe cache extraction process stops after the first successful cache is retrieved.
If you define the cache globally, each job uses the same definition. You can override this behavior for each job.
To disable it completely for a job, use an empty list:
job:
cache: []
You can override cache settings without overwriting the global cache by using
anchors. For example, if you want to override the
policy for one job:
default:
cache: &global_cache
key: $CI_COMMIT_REF_SLUG
paths:
- node_modules/
- public/
- vendor/
policy: pull-push
job:
cache:
# inherit all global cache settings
<<: *global_cache
# override the policy
policy: pull
For more information, see cache: policy.
{{< history >}}
-protected suffix for Maintainer role and higher introduced in GitLab 18.4.5.{{< /history >}}
A suffix is added to the cache key, with the exception of the global fallback cache key.
Cache keys receive the -protected suffix if the pipeline:
Keys generated in other pipelines receive the non_protected suffix.
For example, if:
cache:key is set to $CI_COMMIT_REF_SLUG.main is a protected branch.feature is an unprotected branch.| Branch | Developer role cache key | Maintainer role cache key |
|---|---|---|
main | main-protected | main-protected |
feature | feature-non_protected | feature-protected |
Additionally, for pipelines for tags, the tag's protection status takes precedence for the suffix, not the branch where the pipeline executes. This behavior ensures consistent security boundaries, because the triggering reference determines cache access permissions.
For example, if:
cache:key is set to $CI_COMMIT_TAG.main is a protected branch.feature is an unprotected branch.1.0.0 is a protected tag.1.1.1-rc1 is an unprotected tag.| Tag | Branch | Developer role cache key | Maintainer role cache key |
|---|---|---|---|
1.0.0 | main | 1.0.0-protected | 1.0.0-protected |
1.0.0 | feature | 1.0.0-protected | 1.0.0-protected |
1.1.1-rc1 | main | 1.1.1-rc1-non_protected | 1.1.1-rc1-protected |
1.1.1-rc1 | feature | 1.1.1-rc1-non_protected | 1.1.1-rc1-protected |
{{< history >}}
{{< /history >}}
If you do not want to use cache key names, you can have all branches (protected and unprotected) use the same cache.
The cache separation with cache key names is a security feature and should only be disabled in an environment where all users with Developer role are highly trusted.
To use the same cache for all branches:
Caching is an optimization, but it isn't guaranteed to always work. You might need to regenerate cached files in each job that needs them.
After you define a cache in .gitlab-ci.yml,
the availability of the cache depends on:
All caches defined for a job are archived in a single cache.zip file.
The runner configuration defines where the file is stored. By default, the cache
is stored on the machine where GitLab Runner is installed. The location also depends on the type of executor.
| Runner executor | Default path of the cache |
|---|---|
| Shell | Locally, under the gitlab-runner user's home directory: /home/gitlab-runner/cache/<user>/<project>/<cache-key>/cache.zip. |
| Docker | Locally, under Docker volumes: /var/lib/docker/volumes/<volume-id>/_data/<user>/<project>/<cache-key>/cache.zip. |
| Docker Machine (autoscale runners) | The same as the Docker executor. |
If you use cache and artifacts to store the same path in your jobs, the cache might be overwritten because caches are restored before artifacts.
This example shows two jobs in two consecutive stages:
stages:
- build
- test
default:
cache:
key: build-cache
paths:
- vendor/
before_script:
- echo "Hello"
job A:
stage: build
script:
- mkdir vendor/
- echo "build" > vendor/hello.txt
after_script:
- echo "World"
job B:
stage: test
script:
- cat vendor/hello.txt
If one machine has one runner installed, then all jobs for your project run on the same host:
job A runs.before_script is executed.script is executed.after_script is executed.cache runs and the vendor/ directory is zipped into cache.zip.
This file is then saved in the directory based on the
runner's setting and the cache: key.job B runs.before_script is executed.script is executed.By using a single runner on a single machine, you don't have the issue where
job B might execute on a runner different from job A. This setup guarantees the
cache can be reused between stages. It only works if the execution goes from the build stage
to the test stage in the same runner/machine. Otherwise, the cache might not be available.
During the caching process, there's also a couple of things to consider:
cache.zip, everything in the zip file is
extracted in the job's working directory (usually the repository which is
pulled down), and the runner doesn't mind if the archive of job A overwrites
things in the archive of job B.It works this way because the cache created for one runner often isn't valid when used by a different one. A different runner may run on a different architecture (for example, when the cache includes binary files). Also, because the different steps might be executed by runners running on different machines, it is a safe default.
Runners use cache to speed up the execution of your jobs by reusing existing data. This can sometimes lead to inconsistent behavior.
There are two ways to start with a fresh copy of the cache.
cache:keyChange the value for cache: key in your .gitlab-ci.yml file.
The next time the pipeline runs, the cache is stored in a different location.
You can clear the cache in the GitLab UI:
On the next commit, your CI/CD jobs use a new cache.
[!note] Each time you clear the cache manually, the internal cache name is updated. The name uses the format
cache-<index>, and the index increments by one. The old cache is not deleted. You can manually delete these files from the runner storage.
If you have a cache mismatch, follow these steps to troubleshoot.
| Reason for a cache mismatch | How to fix it |
|---|---|
| You use multiple standalone runners (not in autoscale mode) attached to one project without a shared cache. | Use only one runner for your project or use multiple runners with distributed cache enabled. |
| You use runners in autoscale mode without a distributed cache enabled. | Configure the autoscale runner to use a distributed cache. |
| The machine the runner is installed on is low on disk space or, if you've set up distributed cache, the S3 bucket where the cache is stored doesn't have enough space. | Make sure you clear some space to allow new caches to be stored. There's no automatic way to do this. |
You use the same key for jobs where they cache different paths. | Use different cache keys so that the cache archive is stored to a different location and doesn't overwrite wrong caches. |
| You have not enabled the distributed runner caching on your runners. | Set Shared = false and re-provision your runners. |
If you have only one runner assigned to your project, the cache is stored on the runner's machine by default.
If two jobs have the same cache key but a different path, the caches can be overwritten. For example:
stages:
- build
- test
job A:
stage: build
script: make build
cache:
key: same-key
paths:
- public/
job B:
stage: test
script: make test
cache:
key: same-key
paths:
- vendor/
job A runs.public/ is cached as cache.zip.job B runs.vendor/ is cached as cache.zip and overwrites the previous one.job A runs it uses the cache of job B which is different
and thus isn't effective.To fix this issue, use different keys for each job.
In this example, you have more than one runner assigned to your project, and distributed cache is not enabled.
The second time the pipeline runs, you want job A and job B to re-use their cache (which in this case
is different):
stages:
- build
- test
job A:
stage: build
script: build
cache:
key: keyA
paths:
- vendor/
job B:
stage: test
script: test
cache:
key: keyB
paths:
- vendor/
Even if the key is different, the cached files might get "cleaned" before each
stage if the jobs run on different runners in subsequent pipelines.
If you have configured multiple concurrent runners with the Docker executor, locally cached files might not be present for concurrently-running jobs as you expect. The names of cache volumes are constructed uniquely for each runner instance, so files cached by one runner instance are not found in the cache by another runner instance.
To share the cache between concurrent runners, you can either:
[runners.docker] section of the runners' config.toml to configure a single mount point on the host that
is mapped to /cache in each container, such as volumes = ["/mnt/gitlab-runner/cache-for-all-concurrent-jobs:/cache"].
This approach prevents the runner from creating unique volume names for concurrent jobs.