feat: add Bencher CI integration for performance tracking

yug49 · yug49 · commit 28c052c509af · 2025-12-21T23:28:03.000+05:30
diff --git a/.github/workflows/benchmarks.yml b/.github/workflows/benchmarks.yml
@@ -0,0 +1,76 @@
+name: Benchmarks
+
+# Runs benchmarks on-demand (manual dispatch) to track performance
+# and detect regressions in the Event Scanner.
+
+on:
+  workflow_dispatch:
+    inputs:
+      benchmark:
+        description: "Benchmark to run"
+        required: true
+        default: "all"
+        type: choice
+        options:
+          - all
+          - historic_scanning
+          - latest_events_scanning
+
+permissions:
+  contents: read
+  checks: write
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  benchmark:
+    name: Run Benchmarks
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Install Rust toolchain
+        uses: actions-rust-lang/setup-rust-toolchain@1780873c7b576612439a134613cc4cc74ce5538c # v1.15.2
+
+      - name: Install Foundry (Anvil)
+        uses: foundry-rs/foundry-toolchain@v1
+        with:
+          version: stable
+
+      - name: Install Bencher CLI
+        uses: bencherdev/bencher@main
+
+      - name: Run benchmarks and track with Bencher
+        env:
+          BENCHER_API_TOKEN: ${{ secrets.BENCHER_API_TOKEN }}
+          BENCHER_PROJECT: ${{ vars.BENCHER_PROJECT }}
+        run: |
+          # Determine which benchmarks to run
+          if [ "${{ inputs.benchmark }}" = "all" ]; then
+            BENCH_CMD="cargo bench --manifest-path benches/Cargo.toml"
+          else
+            BENCH_CMD="cargo bench --manifest-path benches/Cargo.toml --bench ${{ inputs.benchmark }}"
+          fi
+
+          bencher run \
+            --project "$BENCHER_PROJECT" \
+            --token "$BENCHER_API_TOKEN" \
+            --branch main \
+            --testbed ubuntu-latest \
+            --threshold-measure latency \
+            --threshold-test t_test \
+            --threshold-max-sample-size 64 \
+            --threshold-upper-boundary 0.99 \
+            --thresholds-reset \
+            --err \
+            --adapter rust_criterion \
+            --github-actions "${{ secrets.GITHUB_TOKEN }}" \
+            $BENCH_CMD
diff --git a/.github/workflows/pr_benchmarks_run.yml b/.github/workflows/pr_benchmarks_run.yml
@@ -0,0 +1,59 @@
+name: Run PR Benchmarks
+
+# This workflow runs benchmarks on pull requests and caches the results.
+# For security, benchmark results are uploaded as artifacts and tracked
+# by a separate workflow (pr_benchmarks_track.yml) that has access to secrets.
+
+on:
+  pull_request:
+    types: [opened, reopened, synchronize]
+    paths:
+      # Only run benchmarks if relevant code changes
+      - "src/**"
+      - "benches/**"
+      - "Cargo.toml"
+      - "Cargo.lock"
+
+permissions:
+  contents: read
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  benchmark_pr:
+    name: Run PR Benchmarks
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Install Rust toolchain
+        uses: actions-rust-lang/setup-rust-toolchain@1780873c7b576612439a134613cc4cc74ce5538c # v1.15.2
+
+      - name: Install Foundry (Anvil)
+        uses: foundry-rs/foundry-toolchain@v1
+        with:
+          version: stable
+
+      - name: Run benchmarks
+        run: |
+          cargo bench --manifest-path benches/Cargo.toml -- --noplot 2>&1 | tee benchmark_results.txt
+
+      - name: Upload benchmark results
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: benchmark_results.txt
+          path: ./benchmark_results.txt
+
+      - name: Upload PR event
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: event.json
+          path: ${{ github.event_path }}
diff --git a/.github/workflows/pr_benchmarks_track.yml b/.github/workflows/pr_benchmarks_track.yml
@@ -0,0 +1,79 @@
+name: Track PR Benchmarks
+
+# This workflow tracks benchmark results from pull requests using Bencher.
+# It runs after the pr_benchmarks_run.yml workflow completes successfully.
+# This separation is required for security when handling fork PRs, as secrets
+# are not available in the context of fork PR workflows.
+
+on:
+  workflow_run:
+    workflows: [Run PR Benchmarks]
+    types: [completed]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+env:
+  BENCHMARK_RESULTS: benchmark_results.txt
+  PR_EVENT: event.json
+
+jobs:
+  track_pr_benchmarks:
+    name: Track PR Benchmarks with Bencher
+    if: github.event.workflow_run.conclusion == 'success'
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
+      - name: Download benchmark results
+        uses: dawidd6/action-download-artifact@20319c5641d495c8a52e688b7dc5fada6c3a9fbc # v8
+        with:
+          name: ${{ env.BENCHMARK_RESULTS }}
+          run_id: ${{ github.event.workflow_run.id }}
+
+      - name: Download PR event
+        uses: dawidd6/action-download-artifact@20319c5641d495c8a52e688b7dc5fada6c3a9fbc # v8
+        with:
+          name: ${{ env.PR_EVENT }}
+          run_id: ${{ github.event.workflow_run.id }}
+
+      - name: Export PR event data
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            const fs = require('fs');
+            const prEvent = JSON.parse(fs.readFileSync(process.env.PR_EVENT, { encoding: 'utf8' }));
+            core.exportVariable('PR_NUMBER', prEvent.number);
+            core.exportVariable('PR_HEAD', prEvent.pull_request.head.ref);
+            core.exportVariable('PR_HEAD_SHA', prEvent.pull_request.head.sha);
+            core.exportVariable('PR_BASE', prEvent.pull_request.base.ref);
+            core.exportVariable('PR_BASE_SHA', prEvent.pull_request.base.sha);
+
+      - name: Install Bencher CLI
+        uses: bencherdev/bencher@main
+
+      - name: Track PR benchmarks with Bencher
+        env:
+          BENCHER_API_TOKEN: ${{ secrets.BENCHER_API_TOKEN }}
+          BENCHER_PROJECT: ${{ vars.BENCHER_PROJECT }}
+        run: |
+          bencher run \
+            --project "$BENCHER_PROJECT" \
+            --token "$BENCHER_API_TOKEN" \
+            --branch "$PR_HEAD" \
+            --hash "$PR_HEAD_SHA" \
+            --start-point "$PR_BASE" \
+            --start-point-hash "$PR_BASE_SHA" \
+            --start-point-clone-thresholds \
+            --start-point-reset \
+            --testbed ubuntu-latest \
+            --err \
+            --adapter rust_criterion \
+            --github-actions "${{ secrets.GITHUB_TOKEN }}" \
+            --ci-number "$PR_NUMBER" \
+            --file "$BENCHMARK_RESULTS"
