Skip to content

Performance tracking (comment) #1368

Performance tracking (comment)

Performance tracking (comment) #1368

# To workaroud https://github.com/actions/first-interaction/issues/10 in a secure way,
# we take the following steps to generate and comment a performance benchmark result:
# 1. first "performance tracking" workflow will generate the benchmark results in an unprivileged environment triggered on `pull_request` event
# 2. then this "performance tracking (comment)" workflow will show the result to us as a PR comment in a privileged environment
# Note that this workflow can only be modifed by getting checked-in to the default branch
# and thus is secure even though this workflow is granted with write permissions, etc.
# xref: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
name: Performance tracking (comment)
on:
workflow_run:
workflows:
- performance tracking
types:
- completed
jobs:
comment:
runs-on: ubuntu-latest
#runs-on: self-hosted
if: >
${{ github.event.workflow_run.event == 'pull_request' &&
github.event.workflow_run.conclusion == 'success' }}
steps:
- uses: actions/checkout@v4
# restore records from the artifacts
- uses: dawidd6/action-download-artifact@v6
with:
workflow: benchmark.yml
name: performance-tracking
workflow_conclusion: success
- name: output benchmark result
id: output-result-markdown
run: |
echo ::set-output name=body::$(cat ./benchmark-result.artifact)
- name: output pull request number
id: output-pull-request-number
run: |
echo ::set-output name=body::$(cat ./pull-request-number.artifact)
# check if the previous comment exists
- name: find comment
uses: peter-evans/find-comment@v3
id: fc
with:
issue-number: ${{ steps.output-pull-request-number.outputs.body }}
comment-author: 'github-actions[bot]'
body-includes: Benchmark Result
# create/update comment
- name: create comment
if: ${{ steps.fc.outputs.comment-id == 0 }}
uses: peter-evans/create-or-update-comment@v4
with:
issue-number: ${{ steps.output-pull-request-number.outputs.body }}
body: ${{ steps.output-result-markdown.outputs.body }}
- name: update comment
if: ${{ steps.fc.outputs.comment-id != 0 }}
uses: peter-evans/create-or-update-comment@v4
with:
comment-id: ${{ steps.fc.outputs.comment-id }}
body: ${{ steps.output-result-markdown.outputs.body }}