Merge pull request #2305 from vprashar2929/docs-profile

docs: add profiling workflow documentation

Author: Sunil Thaha

.github/workflows/profiling.yaml

@@ -28,11 +28,6 @@ jobs:
     if: needs.check-changes.outputs.changes == 'true'
     runs-on: ubuntu-latest
     steps:
-      - name: Install Graphviz
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y graphviz
-
       - name: Install Docker
         shell: bash
         run: |

docs/developer/assets/profiling.png

@@ -0,0 +1,60 @@
+@startuml Profiling Report Workflow Sequence
+' NOTE: Render using http://sujoyu.github.io/plantuml-previewer or any PlantUML tool
+title Profiling Report Workflow
+skinparam sequenceMessageAlign center
+skinparam responseMessageBelowArrow true
+skinparam maxMessageSize 150
+skinparam style strictuml
+actor "Contributor" as Dev
+participant "GitHub Repo" as SR
+box "GitHub Actions" #LightBlue
+participant "Workflow Runner" as Runner
+end box
+participant "Artifact Storage" as Artifacts
+participant "External Workflow" as ExtWF
+note over ExtWF: Separate PR Comment Workflow\n(triggered on workflow_run event)
+== Trigger ==
+Dev -> SR: Create or update Pull Request
+SR -> Runner: Trigger profiling-report workflow\n(on: pull_request)
+== Job: check-changes ==
+group Change Detection
+    Runner -> Runner: Checkout source code
+    Runner -> Runner: Filter paths for changes\n(using dorny/paths-filter)
+    note right: Outputs 'changes' if relevant files modified
+end
+== Job: profiling ==
+note right of Runner: Needs check-changes;\nRuns if changes == 'true'
+group Environment Setup
+    Runner -> Runner: Install and Verify Docker
+    Runner -> Runner: Checkout source code
+    Runner -> Runner: Setup Go environment
+    Runner -> Runner: Install pprof
+end
+group Profiling Execution
+    Runner -> Runner: Enable fake CPU meter in configs
+    Runner -> Runner: Run Docker Compose services\n(build and start kepler-dev/latest in detach mode)
+    Runner -> Runner: Run must-gather (always)\n(collect logs, metrics, etc.)
+    Runner -> Runner: Sleep for 10 seconds
+    Runner -> Runner: Capture CPU/Memory profiling\n(using hack/reports/profiling.sh capture --duration 60)
+    Runner -> Runner: Compare profiling results\n(using hack/reports/profiling.sh compare)
+end
+group Artifact Upload
+    Runner -> Artifacts: Upload profiling artifacts\n(name: profile-artifacts-${{ github.event.pull_request.number }})
+end
+== Job: generate-comment-message ==
+note right of Runner: Needs profiling;\nRuns if profiling success
+group Message Generation
+    Runner -> Runner: Checkout source code
+    Runner -> Runner: Setup Go environment
+    Runner -> Runner: Install pprof
+    Runner -> Artifacts: Download profiling artifacts
+    Runner -> Runner: Generate comment messages\n(using hack/reports/profiling.sh output;\nincludes download instructions)
+end
+group Message Artifact Upload
+    Runner -> Artifacts: Upload message artifact\n(name: message;\npath: /tmp/message-*.txt)
+    note right: This upload enables a separate PR Comment workflow\nto download the artifact and post a comment on the PR
+    Artifacts --> ExtWF: Triggers PR Comment workflow\n(on workflow_run event;\ndownloads message and comments on PR)
+end
+== Complete ==
+Runner --> SR: Workflow complete
+@enduml

docs/developer/assets/profiling.uml

@@ -0,0 +1,104 @@
+# 📊 Profiling Workflow
+
+The Profiling workflow is an automated GitHub Actions workflow that generates and compares performance profiles for Kepler when changes are made to the codebase. This workflow helps developers understand the performance impact of their changes by providing detailed CPU and memory profiling data.
+
+## 🎯 Purpose
+
+The profiling workflow serves several critical purposes:
+
+1. **📉 Performance Regression Detection**: Automatically identifies potential performance degradations introduced by code changes
+2. **📈 Resource Usage Analysis**: Provides detailed insights into CPU and memory consumption patterns
+3. **⚖️ Comparative Analysis**: Compares performance metrics between the development version and the latest stable version
+4. **🔄 Continuous Performance Monitoring**: Ensures performance considerations are part of the development process
+
+## 🔄 Workflow Overview
+
+![Profiling Workflow Overview](assets/profiling.png)
+
+## 🏗️ Workflow Structure
+
+The profiling workflow consists of three main jobs:
+
+### 1. 🔍 Check Changes Job
+
+- **🎯 Purpose**: Determines if profiling should run based on file changes
+- **⚡ Trigger**: Runs on every pull request
+
+### 2. 📊 Profiling Job
+
+- **🎯 Purpose**: Executes the actual profiling process
+- **⚠️ Conditions**: Only runs if relevant changes are detected
+
+### 3. 💬 Generate Comment Message Job
+
+- **🎯 Purpose**: Creates a formatted comment message with profiling results
+- **⚠️ Conditions**: Only runs if profiling job succeeds
+- **📦 Output**: Generates artifacts containing:
+  - Formatted profiling comparison results
+  - Download instructions for profiling artifacts
+  - GitHub CLI commands for artifact retrieval
+
+## ✨ Key Features
+
+### 🤖 Automated Environment Setup
+
+The workflow automatically provisions a complete testing environment including:
+
+- 🐳 Docker containerization for isolated testing
+- 🔄 Both development and production Kepler versions
+
+### 🔬 Comprehensive Profiling
+
+- **⏱️ Duration**: 60-second profiling sessions for statistically significant data
+- **📊 Metrics**: CPU and memory usage patterns
+- **🔀 Comparison**: Side-by-side analysis of different versions
+
+### 📦 Artifact Management
+
+- **🗓️ Retention**: Profiling artifacts retained for 5 days
+- **🏷️ Naming**: Artifacts named with PR numbers for easy identification
+- **📥 Access**: Multiple download methods provided (web interface, GitHub CLI)
+
+## 🔐 Security Considerations
+
+### 🤔 Why Separate Comment Message Generation?
+
+The workflow uploads comment messages as artifacts rather than directly posting comments to pull requests. This approach addresses critical security concerns outlined in [issue #2287](https://github.com/sustainable-computing-io/kepler/issues/2287).
+
+### ⚠️ Security Challenge
+
+Using the `pull_request_target` event for PR comments creates security risks because:
+
+- ⚡ The workflow runs in the context of the target branch with full repository permissions
+- 🛡️ Malicious code in PR branches could potentially access sensitive information
+- 🔓 Direct comment posting from PR contexts poses privilege escalation risks
+
+### ✅ Secure Solution
+
+The current approach implements a two-stage security model:
+
+1. **🔄 Source Workflow** (this profiling workflow):
+   - 🔒 Runs in the limited context of the PR branch
+   - 🛡️ Generates comment content safely
+   - 📤 Uploads message as an artifact (no direct repository access)
+
+2. **💬 Dedicated PR Comment Workflow**:
+   - 🔐 Runs separately using the safer `workflow_run` event trigger
+   - 📥 Downloads the pre-generated comment artifact
+   - 📝 Posts comments with proper base branch context
+   - 🛡️ Maintains security isolation
+
+### 🎯 Benefits of This Approach
+
+- **🔐 Security Isolation**: PR comment workflows run in base branch context, not PR context
+- **🛡️ Reduced Attack Surface**: Limited permissions for content generation workflows
+- **📋 Audit Trail**: Clear separation of content generation and posting actions
+- **♻️ Reusability**: Comment generation pattern can be reused across multiple workflows
+
+## 🚀 Usage
+
+The profiling workflow automatically triggers on pull requests that modify relevant files. No manual intervention is required. Results are available through:
+
+1. **📊 GitHub Actions Summary**: View workflow execution details and download artifacts
+2. **💬 PR Comments**: Automated comments with profiling summaries (posted by separate workflow)
+3. **📦 Artifacts**: Detailed profiling data available for download and local analysis