opa/.github/workflows/benchmarks.yaml at main · open-policy-agent/opa · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
name: Benchmarks

on:
  workflow_dispatch: {}
  push:
    branches: [main]

permissions:
  contents: read

jobs:
    # Check what types of changes this PR contains
  check-changes:
    name: Check what files changed
    runs-on: ubuntu-24.04
    outputs:
      go: ${{ steps.changes.outputs.go }}
      bench: ${{ steps.changes.outputs.bench }}
    steps:
      - name: Check out code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Download OPA
        uses: open-policy-agent/setup-opa@b2b258e089860efaadaaf71bf6e3aecb4a3eeff1 # v2.4.0
        with:
          version: edge

      - name: Check for file changes
        id: changes
        env:
          BEFORE_SHA: ${{ github.event.before }}
          CURRENT_SHA: ${{ github.event.after }}
        run: |
          set -e

          # Default to running all checks
          echo "go=true" >> $GITHUB_OUTPUT

          echo "Comparing $BEFORE_SHA with $CURRENT_SHA"
          git diff --name-only "$BEFORE_SHA" "$CURRENT_SHA" \
            | jq -R '{filename: .}' | jq -s '.' > changed_files.json

          if [ ! -s changed_files.json ] || [ "$(cat changed_files.json)" = "[]" ]; then
            echo "Warning: No changed files found"
            exit 0
          fi

          echo "Changed files:"
          jq -r '.[].filename' changed_files.json

          opa eval \
          --data build/policy/pr-check/pr_check.rego \
          --input changed_files.json \
          --format pretty \
          'data.policy["pr-check"]' > opa_result.json

          go_result=$(jq -r '.changes.go // false' opa_result.json)
          bench_result=$(jq -c '.changes.bench // []' opa_result.json)

          echo "go=${go_result}" >> $GITHUB_OUTPUT
          echo "bench=${bench_result}" >> $GITHUB_OUTPUT

          echo "Final outputs:"
          echo "  go=${go_result}"
          echo "  bench=${bench_result}"

  benchmarks:
    permissions:
      contents: write # we'll push to the `benchmarks` branch
    name: Benchmarks
    needs: check-changes
    if: ${{ needs.check-changes.outputs.go == 'true' }}
    uses: ./.github/workflows/run-benchmarks.yaml
    with:
      publish: true
      publish_branch: benchmarks

  regression-check:
    permissions:
      contents: read
      pull-requests: write
    name: Check for regressions
    runs-on: ubuntu-24.04
    needs: [check-changes]
    if: ${{ needs.check-changes.outputs.bench != '' && needs.check-changes.outputs.bench != '[]' }}
    steps:
      - name: Check out code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 1
          persist-credentials: false
      - name: Fetch base commit
        env:
          BEFORE_SHA: ${{ github.event.before }}
        run: git fetch --depth=1 origin "$BEFORE_SHA"
      - id: go_version
        name: Read go version
        run: echo "go_version=$(cat .go-version)" >> $GITHUB_OUTPUT
      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ steps.go_version.outputs.go_version }}
      - name: Install tools
        run: cd build/tools && go install tool
      - name: Run benchmarks
        env:
          BEFORE_SHA: ${{ github.event.before }}
          AFTER_SHA: ${{ github.event.after }}
          BENCH_PKGS: ${{ needs.check-changes.outputs.bench }}
        run: |
          for pkg in $(echo "$BENCH_PKGS" | jq -r '.[]'); do
            benchlab \
              -commit "$BEFORE_SHA","$AFTER_SHA" \
              -pkg "$pkg" \
              -host local:tags=opa_wasm \
              -reps 3 \
              -benchtime 300ms \
              -run '^$'
          done
      - name: Comment on PR with benchmark results
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          COMMIT_SHA: ${{ github.sha }}
        run: |
          PR_NUMBER=$(gh pr list --search "${COMMIT_SHA}" --state merged --json number --jq '.[0].number')

          if [ -z "$PR_NUMBER" ] || [ "$PR_NUMBER" = "null" ]; then
            echo "Could not find originating PR for commit ${COMMIT_SHA}"
            exit 0
          fi

          {
            echo "## Benchmark Comparison (${BEFORE_SHA} vs ${AFTER_SHA})"
            echo ""
            echo '```'
            # Each benchstat file ends with a compact benchmark × host delta table;
            # extract from that header line onward so the comment stays readable.
            for f in .benchlab/benchstat.*.txt; do
              awk '/^benchmark \\ host/{found=1} found{print}' "$f"
              echo ""
            done
            echo '```'
            echo ""
            echo "_This comment was automatically generated by the benchmarks workflow._"
          } > body.md

          gh pr comment "${PR_NUMBER}" --body-file body.md

  notebook:
    permissions:
      contents: write # we'll push to the `benchmarks` branch
    name: update notebook
    runs-on: ubuntu-24.04
    needs: [check-changes, benchmarks] # force sequential commits for notebook and benchmark results
    if: ${{ needs.check-changes.outputs.go == 'true' }}
    steps:
      - uses: open-policy-agent/setup-opa@b2b258e089860efaadaaf71bf6e3aecb4a3eeff1 # v2.4.0
      - name: Check out code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: benchmarks
          persist-credentials: true
      - name: Setup Java
        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
        with:
          distribution: 'temurin'
          java-version: '21'
      - name: Setup Clojure
        uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1
        with:
          install: true
          cache: true
          mise_toml: |
            [tools]
            clojure = "1.12.5.1638"
      - name: Cache Clojure dependencies
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ~/.m2/repository
            ~/.gitlibs
          key: clj-${{ hashFiles('clay/deps.edn') }}
          restore-keys: clj-
      - name: Clean previous output
        run: rm -rf docs/*.html
      - name: update notebook
        run: |
          clojure -J-Xss32m -M -m opa-bench.generate
        working-directory: clay/
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: commit if changed
        working-directory: docs/
        run: |
          if ! git diff-index --quiet HEAD -- .; then
            git config --local user.email "${GITHUB_ACTOR}@users.noreply.github.com"
            git config --local user.name "${GITHUB_ACTOR}"
            git add -f .
            git diff --staged --name-only
            git commit -m "benchmarks: update notebook for ${GITHUB_SHA}"
            git push origin benchmarks
          else
            echo "no changes, no commit"
          fi