name: Go Benchmark

on:
  pull_request:
  push:
    branches:
      - main
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event.workflow_run.head_branch || github.ref }}
  cancel-in-progress: true

env:
  GO_VERSION: '1.26.0'
  GOTOOLCHAIN: auto

# Minimal permissions at workflow level; write permissions granted at job level for push only
permissions:
  contents: read

jobs:
  benchmark:
    name: Performance Regression Check
    runs-on: ubuntu-latest
    if: ${{ github.event_name == 'workflow_dispatch' || github.event_name == 'pull_request' || github.event.workflow_run.conclusion == 'success' }}
    # Grant write permissions for storing benchmark results (only used on push via step condition)
    # Note: GitHub Actions doesn't support dynamic expressions in permissions block
    permissions:
      contents: write
      deployments: write
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          ref: ${{ github.event.workflow_run.head_sha || github.sha }}

      - name: Set up Go
        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
        with:
          go-version: ${{ env.GO_VERSION }}
          cache-dependency-path: backend/go.sum

      - name: Run Benchmark
        working-directory: backend
        env:
          CHARON_ENCRYPTION_KEY: ${{ secrets.CHARON_ENCRYPTION_KEY_TEST }}
        run: go test -bench=. -benchmem -run='^$' ./... | tee output.txt

      - name: Store Benchmark Result
        # Only store results on pushes to main - PRs just run benchmarks without storage
        # This avoids gh-pages branch errors and permission issues on fork PRs
        if: github.event.workflow_run.event == 'push' && github.event.workflow_run.head_branch == 'main'
        # Security: Pinned to full SHA for supply chain security
        uses: benchmark-action/github-action-benchmark@4e0b38bc48375986542b13c0d8976b7b80c60c00 # v1
        with:
          name: Go Benchmark
          tool: 'go'
          output-file-path: backend/output.txt
          github-token: ${{ secrets.GITHUB_TOKEN }}
          auto-push: true
          # Show alert with commit comment on detection of performance regression
          # Threshold increased to 175% to account for CI variability
          alert-threshold: '175%'
          comment-on-alert: true
          fail-on-alert: false
          # Enable Job Summary
          summary-always: true

      - name: Run Perf Asserts
        working-directory: backend
        env:
          PERF_MAX_MS_GETSTATUS_P95: 500ms
          PERF_MAX_MS_GETSTATUS_P95_PARALLEL: 1500ms
          PERF_MAX_MS_LISTDECISIONS_P95: 2000ms
          CHARON_ENCRYPTION_KEY: ${{ secrets.CHARON_ENCRYPTION_KEY_TEST }}
        run: |
          echo "## 🔍 Running performance assertions (TestPerf)" >> "$GITHUB_STEP_SUMMARY"
          go test -run TestPerf -v ./internal/api/handlers -count=1 | tee perf-output.txt
          exit "${PIPESTATUS[0]}"