diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index 2ab8538..507d1b5 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -36,6 +36,9 @@ on: required: false default: '19' +permissions: + contents: read + jobs: benchmark: runs-on: ubuntu-latest @@ -43,6 +46,8 @@ jobs: steps: - name: Checkout memory tracker uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 @@ -51,9 +56,11 @@ jobs: - name: Clone CPython repository run: | - git clone ${{ github.event.inputs.cpython_repo }} cpython + git clone ${GITHUB_EVENT_INPUTS_CPYTHON_REPO} cpython cd cpython git fetch --depth=200 + env: + GITHUB_EVENT_INPUTS_CPYTHON_REPO: ${{ github.event.inputs.cpython_repo }} - name: Install memory tracker worker run: | @@ -67,8 +74,8 @@ jobs: sudo .github/workflows/posix-deps-apt.sh # Install JIT dependencies - if [ "${{ inputs.binary_id }}" = "jit" ]; then - sudo bash -c "$(wget -O - https://apt.llvm.org/llvm.sh)" ./llvm.sh ${{ inputs.llvm }} + if [ "${INPUTS_BINARY_ID}" = "jit" ]; then + sudo bash -c "$(wget -O - https://apt.llvm.org/llvm.sh)" ./llvm.sh ${INPUTS_LLVM} fi # Install Memray dependencies @@ -77,33 +84,44 @@ jobs: libdebuginfod-dev \ libunwind-dev \ liblz4-dev + env: + INPUTS_BINARY_ID: ${{ inputs.binary_id }} + INPUTS_LLVM: ${{ inputs.llvm }} - name: Run memory benchmarks env: MEMORY_TRACKER_TOKEN: ${{ secrets.MEMORY_TRACKER_TOKEN }} + INPUTS_BINARY_ID: ${{ inputs.binary_id }} + INPUTS_LLVM: ${{ inputs.llvm }} + GITHUB_EVENT_INPUTS_COMMIT_RANGE: ${{ github.event.inputs.commit_range }} + GITHUB_EVENT_INPUTS_BINARY_ID: ${{ github.event.inputs.binary_id }} + GITHUB_EVENT_INPUTS_ENVIRONMENT_ID: ${{ github.event.inputs.environment_id }} + GITHUB_EVENT_INPUTS_SERVER_URL: ${{ github.event.inputs.server_url }} + GITHUB_EVENT_INPUTS_CONFIGURE_FLAGS: ${{ github.event.inputs.configure_flags }} + GITHUB_EVENT_INPUTS_MAKE_FLAGS: ${{ github.event.inputs.make_flags }} run: | - if [ "${{ inputs.binary_id }}" = "jit" ]; then - export PATH="$(llvm-config-${{ inputs.llvm }} --bindir):$PATH" + if [ "${INPUTS_BINARY_ID}" = "jit" ]; then + export PATH="$(llvm-config-${INPUTS_LLVM} --bindir):$PATH" fi # Build command with conditional flags - CMD="memory-tracker benchmark '${{ github.event.inputs.commit_range }}'" + CMD="memory-tracker benchmark '${GITHUB_EVENT_INPUTS_COMMIT_RANGE}'" CMD="$CMD --repo-path ./cpython" - CMD="$CMD --binary-id '${{ github.event.inputs.binary_id }}'" - CMD="$CMD --environment-id '${{ github.event.inputs.environment_id }}'" - CMD="$CMD --api-base '${{ github.event.inputs.server_url }}'" + CMD="$CMD --binary-id '${GITHUB_EVENT_INPUTS_BINARY_ID}'" + CMD="$CMD --environment-id '${GITHUB_EVENT_INPUTS_ENVIRONMENT_ID}'" + CMD="$CMD --api-base '${GITHUB_EVENT_INPUTS_SERVER_URL}'" CMD="$CMD --output-dir ./benchmark_results" CMD="$CMD --force" CMD="$CMD -vv" # Add configure flags if provided - if [ -n "${{ github.event.inputs.configure_flags }}" ]; then - CMD="$CMD --configure-flags='${{ github.event.inputs.configure_flags }}'" + if [ -n "${GITHUB_EVENT_INPUTS_CONFIGURE_FLAGS}" ]; then + CMD="$CMD --configure-flags='${GITHUB_EVENT_INPUTS_CONFIGURE_FLAGS}'" fi # Add make flags if provided - if [ -n "${{ github.event.inputs.make_flags }}" ]; then - CMD="$CMD --make-flags='${{ github.event.inputs.make_flags }}'" + if [ -n "${GITHUB_EVENT_INPUTS_MAKE_FLAGS}" ]; then + CMD="$CMD --make-flags='${GITHUB_EVENT_INPUTS_MAKE_FLAGS}'" fi echo "Running: $CMD" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6a77b6d..d0a4b8d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -5,6 +5,9 @@ on: branches: [main] pull_request: +permissions: + contents: read + jobs: check-lockfile: name: Check backend lockfile is up to date @@ -14,6 +17,7 @@ jobs: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 + persist-credentials: false - name: Ensure lockfiles are updated when .in files change run: | BASE=${{ github.event.pull_request.base.sha }} @@ -48,6 +52,7 @@ jobs: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 + persist-credentials: false - name: Check for backend changes id: changes run: | @@ -88,6 +93,8 @@ jobs: working-directory: frontend steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20 diff --git a/.github/workflows/daily-benchmark.yml b/.github/workflows/daily-benchmark.yml index 30a711a..096decb 100644 --- a/.github/workflows/daily-benchmark.yml +++ b/.github/workflows/daily-benchmark.yml @@ -27,6 +27,9 @@ on: required: false default: '19' +permissions: + contents: read + jobs: benchmark-builds: runs-on: ubuntu-latest @@ -58,6 +61,8 @@ jobs: steps: - name: Checkout memory tracker uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 @@ -66,13 +71,13 @@ jobs: - name: Clone CPython repository and get commits run: | - git clone ${{ github.event.inputs.cpython_repo || 'https://github.com/python/cpython.git' }} cpython + git clone "${GITHUB_EVENT_INPUTS_CPYTHON_REPO}" cpython cd cpython git fetch --all # Determine target date - if [ -n "${{ github.event.inputs.target_date }}" ]; then - TARGET_DATE="${{ github.event.inputs.target_date }}" + if [ -n "${GITHUB_EVENT_INPUTS_TARGET_DATE}" ]; then + TARGET_DATE="${GITHUB_EVENT_INPUTS_TARGET_DATE}" else TARGET_DATE=$(date -u +%Y-%m-%d) fi @@ -92,6 +97,9 @@ jobs: echo "Commit to benchmark: $LAST_COMMIT" fi + env: + GITHUB_EVENT_INPUTS_TARGET_DATE: ${{ github.event.inputs.target_date }} + GITHUB_EVENT_INPUTS_CPYTHON_REPO: ${{ github.event.inputs.cpython_repo || 'https://github.com/python/cpython.git' }} - name: Print environment variables run: | @@ -110,6 +118,8 @@ jobs: pip install -e . - name: Install build dependencies + env: + LLVM_VERSION: ${{ github.event.inputs.llvm || '19' }} run: | # Install CPython dependencies using their script cd cpython @@ -117,7 +127,7 @@ jobs: # Install JIT dependencies if needed if [ "${{ matrix.build_config.install_deps }}" = "jit" ]; then - sudo bash -c "$(wget -O - https://apt.llvm.org/llvm.sh)" ./llvm.sh ${{ github.event.inputs.llvm || '19' }} + sudo bash -c "$(wget -O - https://apt.llvm.org/llvm.sh)" ./llvm.sh "${LLVM_VERSION}" fi # Install Memray dependencies @@ -130,20 +140,22 @@ jobs: - name: Run memory benchmark for commit range - ${{ matrix.build_config.description }} env: MEMORY_TRACKER_TOKEN: ${{ secrets.MEMORY_TRACKER_TOKEN }} + LLVM_VERSION: ${{ github.event.inputs.llvm || '19' }} + ENVIRONMENT_ID: ${{ github.event.inputs.environment_id || 'gh_actions' }} + SERVER_URL: ${{ github.event.inputs.server_url || 'https://memory.python.org' }} run: | if [ "${{ matrix.build_config.install_deps }}" = "jit" ]; then - export PATH="$(llvm-config-${{ github.event.inputs.llvm || '19' }} --bindir):$PATH" - export LLVM_VERSION="${{ github.event.inputs.llvm || '19' }}" - echo "LLVM Path: $(llvm-config-${{ github.event.inputs.llvm || '19' }} --bindir)" - echo "Clang version: $(clang-${{ github.event.inputs.llvm || '19' }} --version || echo 'clang-${{ github.event.inputs.llvm || '19' }} not found')" + export PATH="$(llvm-config-${LLVM_VERSION} --bindir):$PATH" + echo "LLVM Path: $(llvm-config-${LLVM_VERSION} --bindir)" + echo "Clang version: $(clang-${LLVM_VERSION} --version || echo "clang-${LLVM_VERSION} not found")" fi # Build command for commit range memory-tracker benchmark "$COMMIT_RANGE" \ --repo-path ./cpython \ --binary-id "${{ matrix.build_config.binary_id }}" \ - --environment-id "${{ github.event.inputs.environment_id || 'gh_actions' }}" \ - --api-base "${{ github.event.inputs.server_url || 'https://memory.python.org' }}" \ + --environment-id "${ENVIRONMENT_ID}" \ + --api-base "${SERVER_URL}" \ --output-dir ./benchmark_results \ --configure-flags="${{ matrix.build_config.configure_flags }}" \ --force \ @@ -176,5 +188,7 @@ jobs: - name: Print summary run: | echo "Daily benchmark run completed" - echo "Benchmark jobs completed with status: ${{ needs.benchmark-builds.result }}" - echo "Binary types benchmarked: default, debug, jit, lto-pgo, nogil" \ No newline at end of file + echo "Benchmark jobs completed with status: ${NEEDS_BENCHMARK_BUILDS_RESULT}" + echo "Binary types benchmarked: default, debug, jit, lto-pgo, nogil" + env: + NEEDS_BENCHMARK_BUILDS_RESULT: ${{ needs.benchmark-builds.result }} diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..bba285c --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,5 @@ +rules: + secrets-outside-env: + ignore: + - benchmark.yml + - daily-benchmark.yml \ No newline at end of file