-
Notifications
You must be signed in to change notification settings - Fork 18
chore: upload performance metrics #2010
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from 2 commits
837b1f4
6544019
1cfd716
0124716
4d291f9
dffb0fe
5cca04f
4309532
eb20055
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -45,6 +45,7 @@ jobs: | |
|
|
||
| - uses: actions/checkout@v5 | ||
| with: | ||
| ref: benchmark | ||
| submodules: recursive | ||
|
|
||
| - name: Setup Dafny | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,128 @@ | ||
| # This workflow performs benchmark testing in Go. | ||
| name: Performance Benchmarks Go | ||
|
|
||
| on: | ||
| workflow_call: | ||
| inputs: | ||
| dafny: | ||
| description: "The Dafny version to run" | ||
| required: true | ||
| type: string | ||
| regenerate-code: | ||
| description: "Regenerate code using smithy-dafny" | ||
| required: false | ||
| default: false | ||
| type: boolean | ||
| mpl-version: | ||
| description: "MPL version to use" | ||
| required: false | ||
| type: string | ||
| mpl-head: | ||
| description: "Running on MPL HEAD" | ||
| required: false | ||
| default: false | ||
| type: boolean | ||
| jobs: | ||
| testGo: | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| library: [DynamoDbEncryption] | ||
| os: [ubuntu-22.04, macos-15-intel] | ||
| go-version: ["1.23", "1.24", "1.25"] | ||
| runs-on: ${{ matrix.os }} | ||
| permissions: | ||
| id-token: write | ||
| contents: read | ||
| steps: | ||
| - name: Configure AWS Credentials | ||
| uses: aws-actions/configure-aws-credentials@v5 | ||
| with: | ||
| aws-region: us-west-2 | ||
| role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-DDBEC-Dafny-Role-us-west-2 | ||
| role-session-name: DDBEC-Performance-Benchmarks-Go | ||
|
|
||
| - name: Support longpaths | ||
| run: | | ||
| git config --global core.longpaths true | ||
|
|
||
| - uses: actions/checkout@v5 | ||
| with: | ||
| submodules: recursive | ||
|
|
||
| - name: Create temporary global.json | ||
| run: echo '{"sdk":{"rollForward":"latestFeature","version":"6.0.0"}}' > ./global.json | ||
|
|
||
| - name: Setup Java 17 for codegen | ||
| uses: actions/setup-java@v5 | ||
| with: | ||
| distribution: "corretto" | ||
| java-version: "17" | ||
|
|
||
| - name: Update MPL submodule if using MPL HEAD | ||
| if: ${{ inputs.mpl-head == true }} | ||
| working-directory: submodules/MaterialProviders | ||
| run: | | ||
| git checkout main | ||
| git pull | ||
| git submodule update --init --recursive | ||
| git rev-parse HEAD | ||
|
|
||
| - name: Update project.properties if using MPL HEAD | ||
| if: ${{ inputs.mpl-head == true }} | ||
| run: | | ||
| sed "s/mplDependencyJavaVersion=.*/mplDependencyJavaVersion=${{inputs.mpl-version}}/g" project.properties > project.properties2; mv project.properties2 project.properties | ||
|
|
||
| - name: Install Go | ||
| uses: actions/setup-go@v6 | ||
| with: | ||
| go-version: ${{ matrix.go-version }} | ||
|
|
||
| - uses: actions/checkout@v5 | ||
| - name: Init Submodules | ||
| shell: bash | ||
| run: | | ||
| git submodule update --init --recursive submodules/smithy-dafny | ||
| git submodule update --init --recursive submodules/MaterialProviders | ||
|
|
||
| - name: Install Smithy-Dafny codegen dependencies | ||
| uses: ./.github/actions/install_smithy_dafny_codegen_dependencies | ||
|
|
||
| - name: Build ${{ matrix.library }} implementation | ||
| shell: bash | ||
| working-directory: ./${{ matrix.library }} | ||
| run: | | ||
| # This works because `node` is installed by default on GHA runners | ||
| CORES=$(node -e 'console.log(os.cpus().length)') | ||
| make transpile_go CORES=$CORES | ||
|
|
||
| - name: Run Performance Benchmarks - Quick Mode | ||
| shell: bash | ||
| working-directory: ./db-esdk-performance-testing/benchmarks/go | ||
| run: | | ||
| go run . --config ../../config/test-scenarios.yaml --quick | ||
|
|
||
| - name: Parse and Format Logs | ||
| working-directory: ./db-esdk-performance-testing/benchmarks/results/raw-data/ | ||
| run: | | ||
| LOG_FILE="go_results.json" | ||
| UPLOAD_FILE="cloudwatch_logs.json" | ||
| TIMESTAMP=$(date +%s%3N) | ||
| jq -c --arg ts "$(date +%s)000" '.results[] as $result | .metadata as $meta | {timestamp: ($ts | tonumber), message: ({metadata: $meta, result: $result} | tostring)}' $LOG_FILE > $UPLOAD_FILE | ||
|
|
||
| - name: Upload logs to CloudWatch | ||
| working-directory: ./db-esdk-performance-testing/benchmarks/results/raw-data/ | ||
| run: | | ||
| LOG_FILE="cloudwatch_logs.json" | ||
| LOG_GROUP="aws-dbesdk-performance-benchmarks" | ||
| LOG_STREAM="go/quick_benchmarks/${{ github.workflow }}/${{ github.run_id }}" | ||
|
|
||
| # Create log stream (ignore if exists) | ||
| aws logs create-log-stream \ | ||
| --log-group-name "$LOG_GROUP" \ | ||
| --log-stream-name "$LOG_STREAM" 2>/dev/null || true | ||
|
|
||
| aws logs put-log-events \ | ||
| --log-group-name "$LOG_GROUP" \ | ||
| --log-stream-name "$LOG_STREAM" \ | ||
| --log-events file://$LOG_FILE |
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,32 @@ | ||||||||||||||||||||||||||||||||
| # This workflow runs every day 09:00 UTC (1AM PST) | ||||||||||||||||||||||||||||||||
| name: Performance Benchmarks | ||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||
| on: | ||||||||||||||||||||||||||||||||
| pull_request: | ||||||||||||||||||||||||||||||||
| paths: | ||||||||||||||||||||||||||||||||
| - ".github/workflows/performance-benchmarks.yml" | ||||||||||||||||||||||||||||||||
| schedule: | ||||||||||||||||||||||||||||||||
| - cron: "00 09 * * *" | ||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||
| jobs: | ||||||||||||||||||||||||||||||||
| getVersion: | ||||||||||||||||||||||||||||||||
| # Don't run the cron builds on forks | ||||||||||||||||||||||||||||||||
| if: github.event_name != 'schedule' || github.repository_owner == 'aws' | ||||||||||||||||||||||||||||||||
| uses: ./.github/workflows/dafny_version.yml | ||||||||||||||||||||||||||||||||
| performance-benchmarks-go: | ||||||||||||||||||||||||||||||||
| needs: getVersion | ||||||||||||||||||||||||||||||||
| uses: ./.github/workflows/performance-benchmarks-go.yml | ||||||||||||||||||||||||||||||||
| with: | ||||||||||||||||||||||||||||||||
| dafny: ${{needs.getVersion.outputs.version}} | ||||||||||||||||||||||||||||||||
| notify: | ||||||||||||||||||||||||||||||||
|
Comment on lines
+17
to
+21
Check warningCode scanning / CodeQL Workflow does not contain permissions Medium
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}
Copilot AutofixAI about 2 months ago In general, the fix is to add an explicit The single best fix with minimal functional impact is to add a top‑level permissions:
contents: readThis constrains the GITHUB_TOKEN for all three jobs:
Suggested changeset
1
.github/workflows/performance-benchmarks.yml
Copilot is powered by AI and may make mistakes. Always verify output.
Refresh and try again.
|
||||||||||||||||||||||||||||||||
| needs: | ||||||||||||||||||||||||||||||||
| [ | ||||||||||||||||||||||||||||||||
| getVersion, | ||||||||||||||||||||||||||||||||
| performance-benchmarks-go | ||||||||||||||||||||||||||||||||
| ] | ||||||||||||||||||||||||||||||||
| if: ${{ failure() }} | ||||||||||||||||||||||||||||||||
| uses: aws/aws-cryptographic-material-providers-library/.github/workflows/slack-notification.yml@main | ||||||||||||||||||||||||||||||||
| with: | ||||||||||||||||||||||||||||||||
| message: "Performance Benchmarks failed on `${{ github.repository }}`. View run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" | ||||||||||||||||||||||||||||||||
| secrets: | ||||||||||||||||||||||||||||||||
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_CI }} | ||||||||||||||||||||||||||||||||
|
Comment on lines
+22
to
+32
Check warningCode scanning / CodeQL Workflow does not contain permissions Medium
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}
Copilot AutofixAI about 2 months ago In general, the fix is to explicitly define a The best fix, without changing existing functionality, is to add a top‑level Concretely:
permissions:
contents: readThis introduces explicit least‑privilege permissions for the
Suggested changeset
1
.github/workflows/performance-benchmarks.yml
Copilot is powered by AI and may make mistakes. Always verify output.
Refresh and try again.
|
||||||||||||||||||||||||||||||||
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Copilot Autofix
AI about 2 months ago
In general, the problem is fixed by explicitly declaring a minimal
permissions:block in the workflow, either at the root (applies to all jobs lacking their own block) or per job. This prevents the jobs from inheriting potentially over-privileged default permissions for the GITHUB_TOKEN.For this workflow, the simplest, least-invasive fix is to add a root-level
permissions:block that applies to all jobs. Since the top-level workflow only orchestrates reusable workflows and sends a Slack notification (which uses a secret, not the GITHUB_TOKEN), it can safely setcontents: readas a minimal baseline. If any called reusable workflows need additional permissions, they should define their ownpermissions:blocks within those reusable workflow files; we must not assume or edit those here.Concretely, in
.github/workflows/performance-benchmarks.yml, add apermissions:section after thename:line (line 2) and before theon:block (line 4). The block should setcontents: read, which is a reasonable minimal starting point for a workflow that only needs to read repository metadata. No imports or additional methods are needed, since this is a YAML configuration change only.