Merge pull request #15 from jserv/lto

Add per-PR subsystem-size budget gate with PR-comment surface

Author: jserv

.github/workflows/main.yml

@@ -9,6 +9,9 @@ on:
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
 
+permissions:
+  contents: read
+
 concurrency:
   group: build-${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -75,6 +78,26 @@ jobs:
           QUIET: 1
         run: ./build.sh
 
+      - name: Build diagnostic subsystem rollup
+        if: success()
+        env:
+          QUIET: 1
+          KERNEL_DEBUG_INFO: reduced
+        run: ./build.sh linux bootwrapper
+
+      - name: Render subsystem rollup markdown
+        if: success()
+        run: |
+          python3 scripts/rollup-to-markdown.py \
+            --rollup profiles/kernel-pgo/none/subsystem-rollup.txt \
+            --budget-status profiles/kernel-pgo/none/subsystem-budget.txt \
+            --top 12 \
+            --output profiles/kernel-pgo/none/subsystem-rollup.md
+
+      - name: Add subsystem rollup to step summary
+        if: success()
+        run: cat profiles/kernel-pgo/none/subsystem-rollup.md >> "$GITHUB_STEP_SUMMARY"
+
       - name: Save source downloads cache
         if: always() && steps.restore-downloads.outputs.cache-hit != 'true'
         uses: actions/cache/save@v5
@@ -127,6 +150,21 @@ jobs:
             logs
           if-no-files-found: ignore
 
+      - name: Upload subsystem rollup artifacts
+        if: success()
+        uses: actions/upload-artifact@v7
+        with:
+          name: subsystem-rollup
+          compression-level: 0
+          path: |
+            profiles/kernel-pgo/none/subsystem-rollup.txt
+            profiles/kernel-pgo/none/subsystem-rollup.md
+            profiles/kernel-pgo/none/subsystem-budget.txt
+            profiles/kernel-pgo/none/subsystem-rollup-tree.html
+            profiles/kernel-pgo/none/subsystem-rollup-deep.html
+            profiles/kernel-pgo/none/subsystem-rollup-bars.svg
+          if-no-files-found: warn
+
   qemu:
     name: Validate boot in QEMU
     runs-on: ubuntu-24.04

.github/workflows/rollup-comment.yml

@@ -0,0 +1,120 @@
+name: PR comment - subsystem rollup
+
+# Posts the diagnostic subsystem-size rollup as a PR comment after the
+# Build workflow finishes. Lives in a separate workflow on purpose:
+# `workflow_run` runs in the base-repo trusted context, so this is the
+# only place pull-requests:write is granted. The Build job stays
+# read-only, which keeps a compromised toolchain or build-script step
+# from minting comments on attacker-supplied PRs.
+#
+# Fork PRs work too: workflow_run.pull_requests is empty for forks, so
+# the resolver falls back to a head-SHA search.
+
+on:
+  workflow_run:
+    workflows: [Build]
+    types: [completed]
+
+permissions:
+  contents: read
+  pull-requests: write
+  actions: read
+
+jobs:
+  comment:
+    name: Upsert subsystem rollup comment
+    runs-on: ubuntu-24.04
+    if: |
+      github.event.workflow_run.event == 'pull_request'
+      && github.event.workflow_run.conclusion == 'success'
+
+    steps:
+      - name: Download subsystem rollup artifact
+        uses: actions/download-artifact@v5
+        with:
+          name: subsystem-rollup
+          path: rollup
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ github.token }}
+
+      - name: Resolve PR number
+        id: pr
+        uses: actions/github-script@v8
+        with:
+          script: |
+            const run = context.payload.workflow_run;
+            // workflow_run.pull_requests is populated for same-repo
+            // PRs and empty for forks; fall back to a head-SHA search
+            // so fork PRs still get the comment.
+            const direct = run.pull_requests || [];
+            if (direct.length > 0) {
+              core.setOutput('number', String(direct[0].number));
+              return;
+            }
+            const { owner, repo } = context.repo;
+            const { data } = await github.rest.search.issuesAndPullRequests({
+              q: `repo:${owner}/${repo} is:pr is:open ${run.head_sha}`,
+            });
+            if (data.items.length === 0) {
+              core.warning(`no open PR matched head SHA ${run.head_sha}`);
+              core.setOutput('number', '');
+              return;
+            }
+            core.setOutput('number', String(data.items[0].number));
+
+      - name: Upsert comment
+        if: steps.pr.outputs.number != ''
+        uses: actions/github-script@v8
+        env:
+          # Pass the PR number through the environment instead of
+          # interpolating it directly into the script body. Template
+          # substitution happens before the JS engine sees the source,
+          # so any future change that lets a non-numeric value reach
+          # this output would otherwise be a script-injection vector.
+          PR_NUMBER: ${{ steps.pr.outputs.number }}
+        with:
+          script: |
+            const fs = require('fs');
+            // upload-artifact@v4+ preserves workspace-relative paths,
+            // so the markdown lives at its original profiles/ path
+            // inside the downloaded folder.
+            const body = fs.readFileSync(
+              'rollup/profiles/kernel-pgo/none/subsystem-rollup.md',
+              'utf8',
+            );
+            const marker = '<!-- subsystem-rollup-comment -->';
+            const { owner, repo } = context.repo;
+            const issue_number = Number(process.env.PR_NUMBER);
+            const comments = await github.paginate(
+              github.rest.issues.listComments,
+              { owner, repo, issue_number, per_page: 100 },
+            );
+            // Strict login match: github-actions[bot] is the only
+            // identity this workflow ever posts under. A broader
+            // user.type === 'Bot' filter would let a third-party bot's
+            // comment shadow ours and silently break the upsert.
+            const matches = comments.filter(c =>
+              c.user?.login === 'github-actions[bot]'
+              && typeof c.body === 'string'
+              && c.body.includes(marker),
+            );
+            // Update the most recent match and delete older
+            // duplicates so a crashed prior run cannot leave stale
+            // gate state visible on the PR.
+            matches.sort((a, b) =>
+              new Date(b.updated_at) - new Date(a.updated_at)
+            );
+            if (matches.length > 0) {
+              await github.rest.issues.updateComment({
+                owner, repo, comment_id: matches[0].id, body,
+              });
+              for (const stale of matches.slice(1)) {
+                await github.rest.issues.deleteComment({
+                  owner, repo, comment_id: stale.id,
+                });
+              }
+            } else {
+              await github.rest.issues.createComment({
+                owner, repo, issue_number, body,
+              });
+            }

configs/subsystem-budget.txt

@@ -2,33 +2,35 @@
 #
 # Format:  <bucket>  <ceiling-bytes>  [<noise-band-pct>]
 #
-# - Bucket names match scripts/subsystem-rollup.py output. Run a
-#   diagnostic build (KERNEL_DEBUG_INFO=reduced) and inspect
-#   profiles/kernel-pgo/none/subsystem-rollup.txt for the live names.
-# - The noise band absorbs run-to-run variance from GCC LTO
-#   re-deciding what to inline when nothing semantic changed. Default
-#   is 2.0%. Start there, then tighten after observing a week of
-#   clean builds. <icf-merged> tends to be jitterier than real
-#   subsystems -- a wider band there is reasonable.
+# - Bucket names match scripts/subsystem-rollup.py output. The checker
+#   now merges both subsystem-rollup.txt and subsystem-rollup-deep.txt,
+#   so rules may target top-level buckets (`kernel`, `lib`, `fs`) or
+#   deep sub-buckets (`kernel/sched`, `kernel/printk`, `lib/zstd`).
 # - A breach is "actual > limit * (1 + band/100)". The total-bytes
-#   gate is the coarse safeguard; this layer answers WHICH bucket
+#   gate remains the coarse safeguard; this layer answers WHICH bucket
 #   regressed.
+# - The default 2.0% band is still a placeholder until run-to-run LTO
+#   variance is measured. `<icf-merged>` gets 5.0% because IPA-ICF
+#   alias groups jitter more than the real subsystem buckets.
 #
-# How to populate:
-#   1. KERNEL_DEBUG_INFO=reduced ./build.sh linux bootwrapper
-#   2. Read profiles/kernel-pgo/none/subsystem-rollup.txt for the
-#      observed sizes.
-#   3. Pick ceilings 5-10% above each observed value -- enough room
-#      for legitimate growth without masking regressions.
-#
-# Example values (uncomment and tune to your build):
-#   kernel              260000   2.0
-#   mm                   80000   2.0
-#   fs                   20000   2.0
-#   arch/arm            120000   2.0
-#   drivers/tty          25000   2.0
-#   drivers/clocksource  10000   2.0
-#   lib                  70000   2.0
-#   crypto                5000   2.0
-#   <icf-merged>         30000   5.0
-#   <compiler-partition>  5000   5.0
+# Baseline sources:
+# - Top-level ceilings come from the 2026-05-01 diagnostic snapshot in
+#   TODO.md's "Snapshot from Latest Production Build" section.
+# - `kernel/sched` and `kernel/printk` come from the 2026-05-01
+#   "Kernel and Lib Sub-Bucket Breakdown" section after patches
+#   0015-0020 and CONFIG_SCHED_FAIR_TINY.
+# - `lib/zstd`, `lib/lz4`, and `lib/xz` are pinned at zero to catch an
+#   `olddefconfig` re-enable of already-disabled RD_* decompressors.
+
+kernel         200000  2.0
+fs             165000  2.0
+lib            116000  2.0
+mm              86000  2.0
+<icf-merged>    28000  5.0
+
+kernel/sched    23500  2.0
+kernel/printk   18500  2.0
+
+lib/zstd            0  0.0
+lib/lz4             0  0.0
+lib/xz              0  0.0

scripts/check-subsystem-budget.py

@@ -19,10 +19,19 @@
 
 import argparse
 import pathlib
+import re
 import sys
 
 DEFAULT_BAND_PCT = 2.0
 
+# The deep-rollup writer emits "# <bucket> top <N> source files" as the
+# delimiter that closes the depth-2 budget-eligible region. N is the
+# `top_files` parameter on subsystem-rollup.py:write_deep_table and is
+# not currently exposed as a CLI flag, so matching the literal "top 20"
+# would silently drift if that default changed. Match any positive int
+# instead so the two scripts stay decoupled.
+TOP_FILES_HEADER_RE = re.compile(r" top \d+ source files$")
+
 
 def read_budget(path):
     rules = {}
@@ -75,11 +84,52 @@ def read_rollup(path):
     return rows
 
 
+def read_deep_rollup(path):
+    rows = {}
+    in_depth2 = False
+    for raw in path.read_text().splitlines():
+        line = raw.strip()
+        if not line:
+            in_depth2 = False
+            continue
+        if line.startswith("## "):
+            in_depth2 = False
+            continue
+        if line.startswith("# "):
+            # Only the "by 2nd-level subdirectory" table is stable
+            # budget material. The subsequent "top N source files"
+            # table is intentionally excluded from the budget
+            # namespace: file-level churn is too high, and a file name
+            # like "kernel/workqueue.c" would collide conceptually
+            # with a genuine depth-2 bucket if the format ever grows.
+            if line.endswith(" by 2nd-level subdirectory"):
+                in_depth2 = True
+            elif TOP_FILES_HEADER_RE.search(line):
+                in_depth2 = False
+            continue
+        if not in_depth2:
+            continue
+        parts = raw.split("\t")
+        if len(parts) < 2:
+            continue
+        bucket = parts[0]
+        try:
+            rows[bucket] = int(parts[1])
+        except ValueError:
+            continue
+    return rows
+
+
 def main(argv):
     ap = argparse.ArgumentParser(
         description="Compare subsystem rollup against per-bucket budgets."
     )
     ap.add_argument("--rollup", required=True, type=pathlib.Path)
+    ap.add_argument(
+        "--deep-rollup",
+        type=pathlib.Path,
+        help="Optional subsystem-rollup-deep.txt for sub-bucket rules.",
+    )
     ap.add_argument("--budget", required=True, type=pathlib.Path)
     ap.add_argument(
         "--output",
@@ -101,9 +151,32 @@ def main(argv):
             file=sys.stderr,
         )
         return 2
+    if args.deep_rollup is not None and not args.deep_rollup.exists():
+        print(
+            f"check-subsystem-budget: deep rollup not found: "
+            f"{args.deep_rollup}",
+            file=sys.stderr,
+        )
+        return 2
 
     budgets = read_budget(args.budget)
     rollup = read_rollup(args.rollup)
+    deep_rollup = (
+        read_deep_rollup(args.deep_rollup)
+        if args.deep_rollup is not None
+        else {}
+    )
+
+    overlap = sorted(set(rollup) & set(deep_rollup))
+    if overlap:
+        print(
+            "check-subsystem-budget: top-level and deep rollups contain "
+            "the same bucket name(s), refusing ambiguous input: "
+            + ", ".join(overlap),
+            file=sys.stderr,
+        )
+        return 2
+    rollup.update(deep_rollup)
 
     if not budgets:
         # Empty file is a deliberate state: the operator has staged the
@@ -120,6 +193,11 @@ def main(argv):
     lines = [
         f"# subsystem budget check (default band = +/- {DEFAULT_BAND_PCT}%)",
         f"# rollup: {args.rollup}",
+        (
+            f"# deep rollup: {args.deep_rollup}"
+            if args.deep_rollup is not None
+            else "# deep rollup: (not provided)"
+        ),
         f"# budget: {args.budget}",
         "# bucket\tactual\tlimit\tband_pct\tdelta_vs_limit\tstatus",
     ]

scripts/kernel-size-report.sh

@@ -234,10 +234,33 @@ report_subsystem_budget() {
         return 0
     fi
 
-    python3 "${SUBSYSTEM_BUDGET_CHECK}" \
+    # Wipe before the run so an exit other than 0/1 (missing input,
+    # overlap-refusal, malformed file) cannot let a stale status file
+    # from a cached workspace masquerade as the current gate state.
+    rm -f "${OUTDIR}/subsystem-budget.txt"
+
+    set -- \
         --rollup "${OUTDIR}/subsystem-rollup.txt" \
         --budget "${SUBSYSTEM_BUDGET_FILE}" \
-        --output "${OUTDIR}/subsystem-budget.txt" || true
+        --output "${OUTDIR}/subsystem-budget.txt"
+    if [ -f "${OUTDIR}/subsystem-rollup-deep.txt" ]; then
+        set -- "$@" --deep-rollup "${OUTDIR}/subsystem-rollup-deep.txt"
+    fi
+
+    rc=0
+    python3 "${SUBSYSTEM_BUDGET_CHECK}" "$@" || rc=$?
+
+    # Exit codes from check-subsystem-budget.py:
+    #   0 -- ok       (status file written, gate clean)
+    #   1 -- breach   (status file written; warn-only at this layer)
+    #   2 -- input    (no status file; do not let a stale one survive)
+    case "${rc}" in
+        0|1) ;;
+        *)
+            echo "ERROR: subsystem budget checker exited ${rc}" >&2
+            rm -f "${OUTDIR}/subsystem-budget.txt"
+            ;;
+    esac
 }
 
 case "${MODE}" in