Files
tracer-cloud--opensre/.github/workflows/benchmark-image.yml
T
wehub-resource-sync 4b6817381b
Benchmark image — build + push to ECR (any adapter) / build + push (push) Waiting to run
CI / quality (ubuntu-latest) (push) Waiting to run
CI / test (tools-runtime) (push) Waiting to run
CI / test (e2e-general) (push) Waiting to run
CI / test (cli-runtime) (push) Waiting to run
CI / test (e2e-provider-and-openclaw) (push) Waiting to run
CI / test (integrations-and-misc) (push) Waiting to run
CI / coverage-report (push) Blocked by required conditions
CI / test-kubernetes (push) Waiting to run
CI / should-run-thorough (push) Waiting to run
CI / test-thorough (cloudwatch-demo) (push) Blocked by required conditions
CI / test-thorough (flink-ecs) (push) Blocked by required conditions
CI / test-thorough (upstream-lambda) (push) Blocked by required conditions
CI / test-thorough (prefect-ecs-fargate) (push) Blocked by required conditions
CodeQL / Analyze (python) (push) Waiting to run
Release / build-binaries (zip, opensre.exe, onefile, windows-latest, windows-x64) (push) Blocked by required conditions
Release / publish-release (push) Blocked by required conditions
Release / publish-main-release (push) Blocked by required conditions
Release / prepare (push) Waiting to run
Release / verify (push) Blocked by required conditions
Release / build-python-dist (push) Blocked by required conditions
Release / build-binaries (tar.gz, opensre, onedir, macos-15-intel, darwin-x64) (push) Blocked by required conditions
Release / build-binaries (tar.gz, opensre, onedir, macos-latest, darwin-arm64) (push) Blocked by required conditions
Release / build-binaries (tar.gz, opensre, onedir, ubuntu-22.04, linux-x64) (push) Blocked by required conditions
Release / build-binaries (tar.gz, opensre, onedir, ubuntu-22.04-arm, linux-arm64) (push) Blocked by required conditions
Synthetic Deterministic Tests / Synthetic offline (deterministic) (push) Waiting to run
Interactive Shell Live (PR + post-merge) / turn-checks (no-LLM) (push) Waiting to run
Interactive Shell Live (PR + post-merge) / turn-live shard ${{ matrix.shard_index }} (push) Waiting to run
CI (OpenClaw E2E) / openclaw test (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:10:45 +08:00

177 lines
7.2 KiB
YAML

name: Benchmark image — build + push to ECR (any adapter)
# Adapter-agnostic image build. The bench image carries the full
# ``tests/benchmarks/`` tree, so every registered adapter ships in the
# same image. ``benchmark-run.yml`` selects which adapter actually runs
# via its ``config`` input. See ``tests/benchmarks/_framework/registry.py``
# for the registration contract.
# Builds tests/benchmarks/cloudopsbench/infra/Dockerfile.bench and pushes the resulting image to the
# opensre-bench ECR repository. The bench container is what
# `Benchmark run (manual)` invokes on AWS Fargate, so this workflow's
# output is the input to that one.
#
# Triggered automatically on changes to the bench code (or the Dockerfile
# itself) and manually via workflow_dispatch.
#
# After the image is pushed, update the task definition by re-applying the
# Terraform with the new tag:
#
# cd tests/benchmarks/cloudopsbench/infra
# terraform apply -var="image_tag=<TAG>"
#
# (Or wire a follow-up step into this workflow to update task definition
# automatically — out of scope for v1.)
#
# Tag format: short git SHA (`git rev-parse --short HEAD`). Stable, unique
# per commit, recognizable in `aws ecr describe-images` output. ECR is
# IMMUTABLE — a tag pushed once cannot be overwritten, so re-running the
# workflow on the same commit just re-tags (no-op layer push).
on:
workflow_dispatch:
inputs:
tag:
description: Image tag to push (default = short git SHA)
required: false
type: string
push:
branches:
- main
paths:
- "tests/benchmarks/cloudopsbench/infra/Dockerfile.bench"
- "tests/benchmarks/cloudopsbench/infra/Dockerfile.bench.dockerignore"
- "pyproject.toml"
- "uv.lock"
- "surfaces/**"
- "config/**"
- "core/**"
- "platform/deployment/**"
- "integrations/**"
- "platform/**"
- "tools/**"
- "tests/benchmarks/**"
- ".github/workflows/benchmark-image.yml"
permissions:
contents: read
id-token: write # required for AWS OIDC role assumption
concurrency:
# Allow one in-flight build per ref so two pushes in quick succession
# don't race ECR. The newer push cancels the older.
group: bench-image-${{ github.ref }}
cancel-in-progress: true
env:
AWS_REGION: us-east-1
# Account ID is repo-level configuration, not a secret. Set as a GitHub
# repository Variable (Settings > Secrets and variables > Actions >
# Variables) so it doesn't need to be edited in every workflow file
# when the bench moves accounts.
ACCOUNT_ID: ${{ vars.AWS_ACCOUNT_ID }}
ECR_REPOSITORY: opensre-bench
jobs:
build-and-push:
if: github.repository == 'Tracer-Cloud/opensre'
name: build + push
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v5
with:
# Fetch enough history that `git rev-parse --short HEAD` is stable
fetch-depth: 1
- name: Resolve image tag
id: tag
env:
# Route `inputs.tag` through env so the shell treats it as DATA,
# not code. Without this, a workflow_dispatch caller could inject
# shell commands via a crafted `tag` value containing $() or
# backticks. See:
# https://securitylab.github.com/research/github-actions-untrusted-input/
INPUT_TAG: ${{ inputs.tag }}
run: |
if [ -n "$INPUT_TAG" ]; then
TAG="$INPUT_TAG"
else
TAG="$(git rev-parse --short HEAD)"
fi
echo "tag=$TAG" >> "$GITHUB_OUTPUT"
echo "Will push: $ECR_REPOSITORY:$TAG"
- name: Configure AWS credentials (OIDC role assumption)
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/opensre-bench-github-actions
role-session-name: github-actions-bench-image-${{ github.run_id }}
aws-region: us-east-1
- name: Login to Amazon ECR
id: ecr-login
uses: aws-actions/amazon-ecr-login@v2
- name: Set up Docker Buildx
# Buildx adds multi-platform support + better cache control. Even
# for single-platform builds, it's the modern default.
uses: docker/setup-buildx-action@v3
- name: Build and push
id: build
uses: docker/build-push-action@v6
with:
context: .
file: tests/benchmarks/cloudopsbench/infra/Dockerfile.bench
platforms: linux/amd64
push: true
tags: |
${{ steps.ecr-login.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ steps.tag.outputs.tag }}
# Stamp the COMMIT SHA into the image so the runtime can read it
# via the OPENSRE_SHA env var. We use github.sha (the full 40-char
# commit being built), NOT steps.tag.outputs.tag (which resolves
# to the user-supplied inputs.tag like ``hotfix-june`` on
# workflow_dispatch and would stamp an unverifiable string as if
# it were a SHA). The image tag (for ECR naming) and OPENSRE_SHA
# (for provenance) are intentionally decoupled — the tag is for
# humans/operators; the SHA is for reproducibility. The runtime
# gate also validates SHA shape (7-40 lowercase hex chars), so
# even a manually-built image with a bad OPENSRE_SHA fails loudly.
build-args: |
OPENSRE_SHA=${{ github.sha }}
# GitHub Actions cache for Docker layers - speeds up rebuilds
# when only the source changes (deps stay in the cached layer).
cache-from: type=gha
cache-to: type=gha,mode=max
provenance: false # smaller manifest; matches ECR's tolerance for OCI
- name: Summarise
# Route step outputs through env so the shell sees them as DATA,
# not code. `steps.tag.outputs.tag` is derived verbatim from the
# `inputs.tag` user input — without env scoping, a workflow_dispatch
# caller could inject shell commands here even though the
# "Resolve image tag" step is hardened. Same risk applies to any
# tag-derived chain.
env:
REGISTRY: ${{ steps.ecr-login.outputs.registry }}
TAG: ${{ steps.tag.outputs.tag }}
DIGEST: ${{ steps.build.outputs.digest }}
run: |
echo "## Image pushed" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "| field | value |" >> "$GITHUB_STEP_SUMMARY"
echo "| --- | --- |" >> "$GITHUB_STEP_SUMMARY"
echo "| Registry | \`$REGISTRY\` |" >> "$GITHUB_STEP_SUMMARY"
echo "| Repository | \`$ECR_REPOSITORY\` |" >> "$GITHUB_STEP_SUMMARY"
echo "| Tag | \`$TAG\` |" >> "$GITHUB_STEP_SUMMARY"
echo "| Digest | \`$DIGEST\` |" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "To deploy this image:" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "\`\`\`bash" >> "$GITHUB_STEP_SUMMARY"
echo "cd tests/benchmarks/cloudopsbench/infra" >> "$GITHUB_STEP_SUMMARY"
echo "terraform apply -var=\"image_tag=$TAG\"" >> "$GITHUB_STEP_SUMMARY"
echo "\`\`\`" >> "$GITHUB_STEP_SUMMARY"