5bbae48b6b
The Dockerfile already centralizes all version pins into top-level ARGs
(GO_VERSION, ALPINE_IMAGE, CROWDSEC_VERSION, EXPR_LANG_VERSION, XNET_VERSION).
This change closes the remaining gaps so those ARGs are the single source of
truth end-to-end:
- nightly-build.yml now resolves the Alpine image digest at build time and
passes ALPINE_IMAGE as a build-arg, matching the docker-build.yml pattern.
Previously, nightly images were built with the Dockerfile ARG default and
without a pinned digest, making runtime Alpine differ from docker-build.yml.
- six CI workflows (quality-checks, codecov-upload, benchmark, e2e-tests-split,
release-goreleaser, codeql) declared a GO_VERSION env var but their setup-go
steps ignored it and hardcoded the version string directly. They now reference
${{ env.GO_VERSION }}, so Renovate only needs to update one value per file
and the env var actually serves its purpose.
- codeql.yml had no GO_VERSION env var at all; one is now added alongside the
existing GOTOOLCHAIN: auto entry.
When Renovate bumps Go, it updates the env var at the top of each workflow and
the Dockerfile ARG — zero manual hunting required.
81 lines
3.0 KiB
YAML
81 lines
3.0 KiB
YAML
name: Go Benchmark
|
|
|
|
on:
|
|
pull_request:
|
|
push:
|
|
branches:
|
|
- main
|
|
workflow_dispatch:
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event.workflow_run.head_branch || github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
env:
|
|
GO_VERSION: '1.26.1'
|
|
GOTOOLCHAIN: auto
|
|
|
|
# Minimal permissions at workflow level; write permissions granted at job level for push only
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
benchmark:
|
|
name: Performance Regression Check
|
|
runs-on: ubuntu-latest
|
|
if: ${{ github.event_name == 'workflow_dispatch' || github.event_name == 'pull_request' || github.event.workflow_run.conclusion == 'success' }}
|
|
# Grant write permissions for storing benchmark results (only used on push via step condition)
|
|
# Note: GitHub Actions doesn't support dynamic expressions in permissions block
|
|
permissions:
|
|
contents: write
|
|
deployments: write
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
|
with:
|
|
ref: ${{ github.event.workflow_run.head_sha || github.sha }}
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
|
|
with:
|
|
go-version: ${{ env.GO_VERSION }}
|
|
|
|
cache-dependency-path: backend/go.sum
|
|
|
|
- name: Run Benchmark
|
|
working-directory: backend
|
|
env:
|
|
CHARON_ENCRYPTION_KEY: ${{ secrets.CHARON_ENCRYPTION_KEY_TEST }}
|
|
run: go test -bench=. -benchmem -run='^$' ./... | tee output.txt
|
|
|
|
- name: Store Benchmark Result
|
|
# Only store results on pushes to main - PRs just run benchmarks without storage
|
|
# This avoids gh-pages branch errors and permission issues on fork PRs
|
|
if: github.event.workflow_run.event == 'push' && github.event.workflow_run.head_branch == 'main'
|
|
# Security: Pinned to full SHA for supply chain security
|
|
uses: benchmark-action/github-action-benchmark@4e0b38bc48375986542b13c0d8976b7b80c60c00 # v1
|
|
with:
|
|
name: Go Benchmark
|
|
tool: 'go'
|
|
output-file-path: backend/output.txt
|
|
github-token: ${{ secrets.GITHUB_TOKEN }}
|
|
auto-push: true
|
|
# Show alert with commit comment on detection of performance regression
|
|
# Threshold increased to 175% to account for CI variability
|
|
alert-threshold: '175%'
|
|
comment-on-alert: true
|
|
fail-on-alert: false
|
|
# Enable Job Summary
|
|
summary-always: true
|
|
|
|
- name: Run Perf Asserts
|
|
working-directory: backend
|
|
env:
|
|
PERF_MAX_MS_GETSTATUS_P95: 500ms
|
|
PERF_MAX_MS_GETSTATUS_P95_PARALLEL: 1500ms
|
|
PERF_MAX_MS_LISTDECISIONS_P95: 2000ms
|
|
CHARON_ENCRYPTION_KEY: ${{ secrets.CHARON_ENCRYPTION_KEY_TEST }}
|
|
run: |
|
|
echo "## 🔍 Running performance assertions (TestPerf)" >> "$GITHUB_STEP_SUMMARY"
|
|
go test -run TestPerf -v ./internal/api/handlers -count=1 | tee perf-output.txt
|
|
exit "${PIPESTATUS[0]}"
|