Benchmark #61
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,108 @@ | ||
| name: Run benchmarks | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| branches: | ||
| - "*" | ||
| pull_request: | ||
| types: [opened, reopened, synchronize] | ||
|
|
||
| jobs: | ||
| benchmark: | ||
| runs-on: ubuntu-latest | ||
| strategy: | ||
| matrix: | ||
| go-version: [ '1.24' ] | ||
|
|
||
| steps: | ||
| - name: Setup Go ${{ matrix.go-version }} | ||
| uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b | ||
| with: | ||
| go-version: ${{ matrix.go-version }} | ||
| - name: Display Go version | ||
| run: go version | ||
| - name: Restore main benchmark | ||
| uses: actions/cache/restore@v4 | ||
| id: restore-main-benchmark | ||
| with: | ||
| path: bench/main.txt | ||
| key: main-benchmark-2 | ||
| - name: Checkout main | ||
| if: steps.restore-main-benchmark.outputs.cache-hit != 'true' | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| ref: main | ||
| clean: false | ||
| - name: Install dependencies | ||
| if: steps.restore-main-benchmark.outputs.cache-hit != 'true' | ||
| run: go get . | ||
| - name: Build | ||
| if: steps.restore-main-benchmark.outputs.cache-hit != 'true' | ||
| run: go build -v ./... | ||
| - run: mkdir -p bench | ||
| if: steps.restore-main-benchmark.outputs.cache-hit != 'true' | ||
| - name: Benchmark | ||
| if: steps.restore-main-benchmark.outputs.cache-hit != 'true' | ||
| run: go test -timeout=9999999s -bench=. -benchmem -count=2 ./... | tee bench/main.txt | ||
| - name: Save main benchmark | ||
| if: steps.restore-main-benchmark.outputs.cache-hit != 'true' | ||
| uses: actions/cache/save@v4 | ||
|
There was a problem hiding this comment. 🟠 Code VulnerabilityWorkflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)Pin GitHub Actions by commit hash to ensure supply chain security. Using a branch ( - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||
| with: | ||
| path: bench/main.txt | ||
| key: main-benchmark-2 | ||
| - name: Checkout branch | ||
| uses: actions/checkout@v4 | ||
| - name: Restore main benchmark | ||
| uses: actions/cache/restore@v4 | ||
|
There was a problem hiding this comment. 🟠 Code VulnerabilityWorkflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)Pin GitHub Actions by commit hash to ensure supply chain security. Using a branch ( - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||
| with: | ||
| path: bench/main.txt | ||
| key: main-benchmark-2 | ||
| fail-on-cache-miss: true | ||
| # - name: Install dependencies | ||
| # run: go get . | ||
| # - name: Build | ||
| # run: go build -v ./... | ||
| # - name: Benchmark | ||
| # run: go test -timeout=9999999s -bench=. -benchmem -count=2 ./... | tee bench/${{github.sha}}.txt | ||
| - name: Install benchstat | ||
| run: go get -u golang.org/x/perf/cmd/benchstat | ||
| - run: go env | ||
| - run: echo $PATH | ||
| - name: Compare benchmarks | ||
| run: benchstat bench/main.txt bench/${{github.sha}}.txt | tee bench/benchstat.txt | ||
| - name: Store benchmark | ||
| uses: actions/upload-artifact@v4 | ||
|
There was a problem hiding this comment. 🟠 Code VulnerabilityWorkflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)Pin GitHub Actions by commit hash to ensure supply chain security. Using a branch ( - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||
| with: | ||
| name: benchmark-${{ github.sha }} | ||
| path: bench | ||
|
|
||
|
|
||
| benchmark_main: | ||
| if: github.ref == 'refs/heads/main' | ||
| runs-on: ubuntu-latest | ||
| strategy: | ||
| matrix: | ||
| go-version: [ '1.24' ] | ||
| steps: | ||
| - name: Setup Go ${{ matrix.go-version }} | ||
| uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b | ||
| with: | ||
| go-version: ${{ matrix.go-version }} | ||
| - name: Display Go version | ||
| run: go version | ||
| - name: Checkout main | ||
| uses: actions/checkout@v4 | ||
| - name: Install dependencies | ||
| run: go get . | ||
| - name: Build | ||
| run: go build -v ./... | ||
| - run: mkdir -p bench | ||
| - name: Benchmark | ||
| run: go test -timeout=9999999s -bench=. -benchmem -count=2 ./... | tee bench/main.txt | ||
| - name: Save main benchmark | ||
| uses: actions/cache/save@v4 | ||
|
There was a problem hiding this comment. 🟠 Code VulnerabilityWorkflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)Pin GitHub Actions by commit hash to ensure supply chain security. Using a branch ( - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||
| with: | ||
| path: bench/main.txt | ||
| key: main-benchmark-10 | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -22,3 +22,6 @@ go.work | |
|
|
||
| # Go fuzz test files | ||
| testdata/fuzz/ | ||
|
|
||
| # Benchmark files | ||
| bench | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🟠 Code Vulnerability
Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)
Pin GitHub Actions by commit hash to ensure supply chain security.
Using a branch (
@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity: