Skip to content

Benchmark upload

Benchmark upload #506

name: Benchmark upload
#
# This workflow runs after every benchmark, to upload the report to S3.
#
# It is its own workflow and starts with a safety check, because PRs can contain malicious code and run in a context with secrets..
#
# See also https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
#
on:
workflow_run:
workflows: ["Benchmarks"]
types:
- completed
permissions:
actions: read
contents: read
issues: write
pull-requests: write
jobs:
upload:
name: Upload benchmark report
runs-on: warp-ubuntu-latest-x64-16x
if: github.event.workflow_run.conclusion == 'success'
steps:
- name: Safety check
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SLACK_TOKEN: ${{ secrets.SLACK_TOKEN }}
SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
run: |
# Was triggering workflow triggered by a PR?
PR_NUMBER=$(gh api /repos/${{ github.repository }}/actions/runs/${{ github.event.workflow_run.id }} \
--jq '.pull_requests[0].number')
if [ -z "$PR_NUMBER" ] || [ "$PR_NUMBER" = "null" ]; then
echo "No PR associated with this the triggering workflow run: ${{ github.event.workflow_run.id }}."
exit 0
fi
# Were workflow files changed in the PR?
CHANGED_FILES=$(gh api /repos/${{ github.repository }}/pulls/$PR_NUMBER/files --jq '.[].filename')
echo -e "These files were modified in PR #$PR_NUMBER which triggered workflow run ${{ github.event.workflow_run.id }}:\n$CHANGED_FILES"
if echo "$CHANGED_FILES" | grep -q "^\.github/workflows/"; then
echo -e "\n## :x: Error\nWorkflow file change detected. Failing the workflow for security reasons." >> $GITHUB_STEP_SUMMARY
curl --silent --data '{"text":"A workflow file change was included in <https://github.com/flashbots/rbuilder/pull/'"$PR_NUMBER"'|PR '"$PR_NUMBER"'>."}' \
-H "Content-type: application/json" -X POST $SLACK_WEBHOOK > /dev/null 2>&1
exit 1
else
echo "No workflow file changes detected."
fi
# https://github.com/actions/download-artifact
- uses: actions/download-artifact@v4
with:
name: benchmark-report.zip
run-id: ${{ github.event.workflow_run.id }}
github-token: ${{ github.token }}
- name: Extract report
run: |
unzip benchmark-report.zip
ls -alh benchmark-report/
- name: Prepare variables
id: prepare
run: |
while IFS='=' read -r key value; do
if [[ $key && $value ]]; then
export "$key=$value"
fi
done < benchmark-report/vars.txt
S3_UPLOAD_DIR="benchmark/${HEAD_SHA_SHORT}-${BASE_SHA_SHORT}"
echo "S3_UPLOAD_DIR=${S3_UPLOAD_DIR}" >> "$GITHUB_OUTPUT"
echo "PR_NUMBER=${PR_NUMBER}" >> "$GITHUB_OUTPUT"
# Upload S3 (using https://github.com/shallwefootball/upload-s3-action)
- name: Upload to S3
uses: shallwefootball/s3-upload-action@master
id: S3
with:
aws_key_id: ${{secrets.AWS_KEY_ID}}
aws_secret_access_key: ${{secrets.AWS_SECRET_ACCESS_KEY}}
aws_bucket: flashbots-rbuilder-ci-stats
source_dir: benchmark-report
destination_dir: ${{ steps.prepare.outputs.S3_UPLOAD_DIR }}
#
# POST SUMMARY (to PR comment and CI job summary)
#
- name: Add summary to CI job summary
run: |
BENCH_URL="https://flashbots-rbuilder-ci-stats.s3.us-east-2.amazonaws.com/${{steps.S3.outputs.object_key}}/report/index.html"
sed -i "s|__BENCH_URL__|${BENCH_URL}|" benchmark-report/benchmark-pr-comment.md
cat benchmark-report/benchmark-pr-comment.md
cat benchmark-report/benchmark-pr-comment.md >> $GITHUB_STEP_SUMMARY
cat benchmark-report/benchmark-summary.md >> $GITHUB_STEP_SUMMARY
# https://github.com/peter-evans/find-comment
- name: Find previous PR comment
if: steps.prepare.outputs.PR_NUMBER != ''
uses: peter-evans/find-comment@v3
id: fc
with:
issue-number: ${{ steps.prepare.outputs.PR_NUMBER }}
comment-author: 'github-actions[bot]'
body-includes: Benchmark results
# https://github.com/peter-evans/create-or-update-comment
- name: Create or update PR comment
if: steps.prepare.outputs.PR_NUMBER != ''
uses: peter-evans/create-or-update-comment@v4
with:
comment-id: ${{ steps.fc.outputs.comment-id }}
issue-number: ${{ steps.prepare.outputs.PR_NUMBER }}
edit-mode: replace
body-path: benchmark-report/benchmark-pr-comment.md