Benchmark #61
- Loading branch information
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -17,6 +17,12 @@ jobs: | |
| go-version: [ '1.24' ] | ||
|
|
||
| steps: | ||
| - name: Setup Go ${{ matrix.go-version }} | ||
| uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b | ||
| with: | ||
| go-version: ${{ matrix.go-version }} | ||
| - name: Display Go version | ||
| run: go version | ||
| - name: Restore main benchmark | ||
| uses: actions/cache/restore@v4 | ||
| id: restore-main-benchmark | ||
|
|
@@ -29,14 +35,6 @@ jobs: | |
| with: | ||
| ref: main | ||
| clean: false | ||
| - name: Install dependencies | ||
| if: steps.restore-main-benchmark.outputs.cache-hit != 'true' | ||
| run: go get . | ||
|
|
@@ -56,28 +54,24 @@ jobs: | |
| key: main-benchmark-2 | ||
| - name: Checkout branch | ||
| uses: actions/checkout@v4 | ||
| - name: Restore main benchmark | ||
| uses: actions/cache/restore@v4 | ||
|
There was a problem hiding this comment. 🟠 Code VulnerabilityWorkflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)Pin GitHub Actions by commit hash to ensure supply chain security. Using a branch ( - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||
| with: | ||
| path: bench/main.txt | ||
| key: main-benchmark-2 | ||
| fail-on-cache-miss: true | ||
| # - name: Install dependencies | ||
| # run: go get . | ||
| # - name: Build | ||
| # run: go build -v ./... | ||
| # - name: Benchmark | ||
| # run: go test -timeout=9999999s -bench=. -benchmem -count=2 ./... | tee bench/${{github.sha}}.txt | ||
| - name: Install benchstat | ||
| run: go get -u golang.org/x/perf/cmd/benchstat | ||
| - run: go env | ||
| - run: echo $PATH | ||
| - name: Compare benchmarks | ||
| run: benchstat bench/main.txt bench/${{github.sha}}.txt | tee bench/benchstat.txt | ||
| - name: Store benchmark | ||
| uses: actions/upload-artifact@v4 | ||
|
There was a problem hiding this comment. 🟠 Code VulnerabilityWorkflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)Pin GitHub Actions by commit hash to ensure supply chain security. Using a branch ( - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||
| with: | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🟠 Code Vulnerability
Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)
Pin GitHub Actions by commit hash to ensure supply chain security.
Using a branch (
@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity: