ci: run pre-publish benchmark gate on every PR

[carlos-alm]

Summary

• Ports the pre-publish-benchmark job from publish.yml into ci.yml so the regression gate runs on every PR instead of only at release time.
• Reuses the existing native-host-build artifact (linux-x64), runs in parallel with the rest of CI, and is wired into ci-pipeline needs so a regression fails the PR.
• Preserves CODEGRAPH_FAST_SKIP_DIAG=1 and the verbose vitest reporters so when something regresses, the logs already pinpoint the cause without re-running locally.

Why

Until now, the regression gate only ran inside publish.yml's pre-publish path (stable releases / workflow_dispatch). Regressions could land on main and were only caught at the next release. The recent diagnostics work (#1067, #1066 follow-ups) makes the gate's logs genuinely useful — moving it onto every PR puts that signal in front of the change that introduced the regression, while it's still cheap to fix.

How it differs from publish.yml's gate

• Version label: --version dev instead of a semver. update-benchmark-report.ts treats dev as a rolling entry (replaces previous dev); the regression-guard's findLatestPair compares dev against the most recent non-skipped release.
• Artifact source: downloads native-host-ubuntu-latest from CI's existing matrix instead of native-linux-x64 from publish's matrix — no new Rust build added.
• No history-file artifact upload: that's only needed by the post-publish record-benchmarks job in benchmark.yml.
• JSON results uploaded with if: always(): failed gates are debuggable without re-running the suite locally.

Test plan

• CI green on this PR — confirms the new job builds, downloads the host artifact, runs all benchmark scripts (build/resolution/query/incremental), passes the resolution thresholds, tracer validation, and regression guard.
• Verify the new job runs in parallel with lint/typecheck/test (only depends on native-host-build).
• On a follow-up PR that intentionally regresses a metric (or just look at logs), confirm the gate fails with the diagnostic context (CODEGRAPH_FAST_SKIP_DIAG=1, verbose reporters, JSON artifact attached).

[claude]

Claude finished @carlos-alm's task —— View job

---

Reviewing PR: ci: run pre-publish benchmark gate on every PR

Todo List:

• Read and analyze the changed workflow file
• Phase 1: Root cause analysis
• Phase 2: Configuration change detection
• Phase 3: Test integrity assessment
• Phase 4: Code quality review
• Phase 5: Backlog compliance evaluation
• Provide final assessment and rating

---

Root Cause Analysis

Problem Being Solved: Performance regressions were only being caught at release time via the pre-publish benchmark gate in publish.yml, allowing regressions to land on main and only surface during the next release cycle when they're expensive to fix.

Why This Approach: Moving the gate to run on every PR means regressions are caught immediately when introduced, while the diagnostic context is still fresh and the fix is cheap. The recent diagnostics improvements (#1067, #1066) make the gate logs genuinely useful for debugging.

Risk Assessment: This is a defensive change that adds quality gates without removing existing safeguards. The approach mirrors the existing proven gate from publish.yml with minimal modifications.

Backlog Compliance

• Zero-dep: ✓ — No new runtime dependencies added, builds on existing benchmark infrastructure
• Foundation-aligned: ✓ — Aligns with P1 (always-current) by preventing regressions from reaching main, supports P5 (embeddable-first) by ensuring API stability
• Problem-fit: 4 — Directly improves development workflow by catching performance regressions before they affect users/agents
• Breaking: No — Purely additive CI enhancement, no changes to user-facing APIs or behavior
• Tier: 1

Critical Concerns

None identified. This is a well-executed defensive improvement.

Strengths:

1. Smart artifact reuse (lines 339-343): Reuses native-host-ubuntu-latest from existing CI matrix instead of building a separate artifact, avoiding duplication
2. Proper parallelization (line 310, 444): Depends only on native-host-build, runs parallel with other checks, doesn't extend critical path
3. Rolling version strategy (line 374): Uses --version dev as a rolling entry that replaces previous dev runs, compared against latest stable baseline
4. Debuggable failures (lines 431-440): if: always() ensures JSON artifacts are uploaded even on failure, making regressions debuggable without local reproduction
5. Preserved diagnostics (line 316): Maintains CODEGRAPH_FAST_SKIP_DIAG=1 for the incremental rebuild regression investigation
6. Identical test coverage: All four benchmark suites (build/resolution/query/incremental) plus threshold gates and tracer validation preserved from publish.yml

Technical Implementation Quality:

• Clean duplication strategy: Rather than complex abstraction, cleanly duplicates the proven logic with targeted modifications (version label, artifact source)
• Consistent with existing patterns: Uses same timeout values, shell scripting patterns, and error handling as other CI jobs
• Proper gate integration: Correctly wired into ci-pipeline needs array (line 444) so regressions fail the PR

Minor Considerations:

• Resource usage: This adds ~5-10 minutes of compute time per PR, but given the value of catching regressions early, this is well-justified overhead
• No history upload: Correctly omits the history file artifact upload since that's only needed for the post-publish recording job

Final Recommendation

• Rating: ⭐⭐⭐⭐☆ (4/5)
• Action: APPROVE
• Reasoning: This is a high-quality defensive improvement that addresses a real pain point (late regression detection) with a proven, well-implemented solution. The approach is technically sound, preserves all safeguards, and follows existing patterns. The only reason it's not 5 stars is that it's "just" moving existing functionality rather than innovative new capability—but that's actually a strength for this type of quality gate.

---

[greptile-apps]

Greptile Summary

This PR ports the pre-publish-benchmark gate from publish.yml into ci.yml so benchmark regressions are caught on every PR rather than only at release time. It also updates regression-guard.test.ts to correctly handle the rolling dev version produced by the per-PR gate.

• CI job (ci.yml): Adds pre-publish-benchmark that downloads the PR-built native addon, runs all four benchmark scripts with --version dev, and wires the result into ci-pipeline needs; conditioned on github.event_name == 'pull_request' so it doesn't double-run on push-to-main.
• Regression guard (regression-guard.test.ts): Introduces isDevLatest in findLatestPair to bypass the semver gap check for dev, adds baselineVersion to assertNoRegressions so KNOWN_REGRESSIONS anchored to a release version still suppress false failures during PR runs, and mirrors the same fallback in the resolution precision/recall loop.
• Known regressions updated: Adds 3.9.6:Full build and 3.9.6:1-file rebuild with root-cause documentation so the newly-gated PR runs don't fail on pre-existing tracked regressions.

Confidence Score: 4/5

Safe to merge for CI infrastructure; the import-resolution sub-benchmark still silently skips the dev build, leaving one measurement blind to PR-introduced regressions in that specific path.

The isDevLatest bypass, baselineVersion fallback in assertNoRegressions, and resolution isDev fallback are all correctly implemented. The resolveEntries filter at line 572 still excludes dev entries, so nativeBatchMs/jsFallbackMs regressions introduced by a PR would pass the gate silently.

tests/benchmarks/regression-guard.test.ts — the resolveEntries filter at line 572 excludes dev entries, leaving the import-resolution sub-benchmark without PR-level coverage.

Important Files Changed

Filename	Overview
.github/workflows/ci.yml	Adds pre-publish-benchmark job conditioned on pull_request events; correctly mirrors publish.yml patterns, properly wired into ci-pipeline needs with appropriate timeouts on all benchmark execution steps.
tests/benchmarks/regression-guard.test.ts	Adds dev-version handling to findLatestPair and assertNoRegressions; the import-resolution sub-benchmark (resolveEntries) still explicitly excludes dev entries, meaning a PR-introduced regression in nativeBatchMs/jsFallbackMs would not be caught by this gate.

_{Reviews (10): Last reviewed commit: "Merge branch 'main' into ci/regression-g..." | Re-trigger Greptile}

[greptile-apps]

Missing timeouts on benchmark execution steps

The four benchmark run steps (Run build benchmark, Run resolution benchmark, Run query benchmark, Run incremental benchmark) have no timeout-minutes, unlike Gate on resolution thresholds (30 min) and Run tracer validation (10 min). If any benchmark script hangs — for example due to an unresponsive subprocess or an infinite loop in new code — the job will occupy the runner for up to 6 hours before GitHub kills it, blocking the ci-pipeline gate for the entire duration. The equivalent steps in publish.yml share the same gap. Adding per-step timeouts (e.g., 15–20 min each) keeps a stuck job from becoming a multi-hour blocker.

[carlos-alm]

Fixed in 9aca6db — added timeout-minutes: 20 to all four benchmark execution steps (build / resolution / query / incremental) so a hung script can't hold the runner for the GitHub default 6 hours. Same caveat carries over to publish.yml's equivalent steps; left untouched here per one-PR-one-concern (will follow up if needed).

[carlos-alm]

Addressed Greptile review feedback in 9aca6db and fda3c4f:

• Event filter (if: github.event_name == 'pull_request') — added to scope the gate to PRs only, mirroring publish.yml's if: github.event_name != 'push' skip. Push-to-main no longer re-runs the full benchmark suite on the merge commit (the merging PR already gated on the same diff).
• Per-step timeout-minutes — added 20-minute timeouts to the four benchmark execution steps (build / resolution / query / incremental) so a hung script can't hold the runner for the GitHub default 6 hours.

Also fixed the failing CI:

• The pre-publish-benchmark job was tripping the regression guard on incremental Full build (3.9.6 vs 3.9.4), but the underlying regression is the same perf: WASM full-build regression in 3.9.6 (7.6s -> 14.0s, ~85% slower) #1036 / perf: 3.9.6 broad build regression — native +81% build, +60% query; both engines impacted #1037 root cause already documented in KNOWN_REGRESSIONS for Build ms/file and No-op rebuild. PR perf(wasm): scope ensureWasmTrees re-parse to files that need it #1038 added those two labels but missed the Full build label that surfaces in INCREMENTAL-BENCHMARKS — added it (fda3c4f) so the gate stops blocking on a regression that's already fixed and waiting to clear with v3.9.7+ data.

[carlos-alm]

Addressed Greptile's outstanding concern about effectiveGap("dev", anyRelease) returning Infinity in dbd48ae:

The bug was real — parseSemver("dev") returns null, so effectiveGap("dev", anyRelease) always exceeded MAX_VERSION_GAP, causing findLatestPair to silently fall through to compare the two most recent real releases instead of dev vs the latest release. That defeated the entire purpose of running the regression guard on every PR.

Fix: in findLatestPair, when latestVersion === 'dev', bypass the version-gap check. Dev is always the current PR build, so the most recent comparable release is the correct baseline regardless of feature-expansion distance. Real releases still respect MAX_VERSION_GAP to avoid stale baselines. All 17 regression-guard tests pass.

[carlos-alm]

@greptileai

[carlos-alm]

Pushed two follow-up commits to fix the failing CI on this PR's own gate:

• 3cf32b1 - fix(bench): look up KNOWN_REGRESSIONS by baseline version when latest is dev. The exemption keys are anchored to the release where the regression was first observed (e.g. 3.9.6:No-op rebuild); when the per-PR gate runs dev as latest, lookups using dev:Foo never matched, so every documented regression resurfaced. Added a baseline-version fallback so a single 3.9.6:Foo entry now covers both 3.9.6 vs 3.9.5 (release-time) and dev vs 3.9.6 (per-PR) until the next release clears the regression.
• 46492cf - test(bench): mark 3.9.6 1-file rebuild as known regression. After the fallback fix, only 1-file rebuild remained failing (78 → 116ms / 54 → 81ms). Root cause is fix(native): persist file_hashes for dropped/symbol-less files #1069's unconditional backfill on every incremental, fix tracked in perf(native): skip backfill on clean incrementals #1082; added the entry with the same documentation pattern as the other 3.9.6:* exemptions.

Pre-publish benchmark gate is now passing.