Skip to content

ci: fix flamegraph preview publishing#5773

Open
uiolee wants to merge 3 commits into
masterfrom
fix/flamegraph_publish
Open

ci: fix flamegraph preview publishing#5773
uiolee wants to merge 3 commits into
masterfrom
fix/flamegraph_publish

Conversation

@uiolee

@uiolee uiolee commented May 7, 2026

Copy link
Copy Markdown
Member

What does it do?

since github action security policy strengthen, secrets could not be accessed in workflow 'on.pull_request'.

  • refact workflow publishing flamegraph to surge
    • publish PR's flamegraph to surge via trigger 'on.workflow_run'.
    • redesign projects' file structure and domain to reduce the usage of surge's projects.
      Previously one sha occupy 3 projects. Now one sha occupy 1 project (in main branch) or one PR occupy 1 project (in PR)
    • use environment to strengthen secrets' security.

Screenshots

Pull request tasks

@github-actions

github-actions Bot commented May 7, 2026

Copy link
Copy Markdown

How to test

git clone -b fix/flamegraph_publish https://github.com/hexojs/hexo.git
cd hexo
npm install
npm test
@uiolee uiolee changed the title ci: refact flamegraph preview publishing May 7, 2026
@yoshinorin yoshinorin requested a review from Copilot May 28, 2026 12:06

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Reworks the flamegraph preview publishing CI because, due to GitHub's tightened security policy, secrets are no longer available to workflows triggered by pull_request. Publishing for PR builds is moved into a new workflow_run-triggered workflow that can safely access the surge.sh credentials, the directory layout is consolidated so a single sha (or PR) maps to a single surge project, and a protected environment is used to gate the secrets.

Changes:

  • Restructured artifact/file naming (drop leading dot so actions/upload-artifact includes them) and reorganized flamegraphs under a per-node-version subfolder of a single ./flamegraph/ project.
  • Added new profiling-preview job (in benchmark.yml) for push/main builds and a new benchmark-post.yml workflow that runs on workflow_run to publish PR previews and post the sticky PR comment.
  • Removed the obsolete comment-flamegraph job from commenter.yml.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

File Description
.github/workflows/benchmark.yml Moves flamegraphs into ./flamegraph/<node>/, uploads them as artifacts, and adds a new profiling-preview job that publishes to surge for non-PR events; renames temp files without the leading dot.
.github/workflows/benchmark-post.yml New workflow that, after a successful Benchmark run on a PR, downloads the artifacts, publishes to a per-PR surge subdomain, and posts/updates the sticky PR comment under a protected environment.
.github/workflows/commenter.yml Removes the now-redundant workflow_run trigger and comment-flamegraph job, which have been replaced by benchmark-post.yml.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +91 to +102
url: https://${{ github.sha }}-hexo.surge.sh/
comment_result: "tmp-comment-flamegraph.md"
steps:
- uses: actions/download-artifact@v8
with:
pattern: "comment-*"
merge-multiple: true

- name: Publish flamegraph to ${{ env.url }}
uses: dswistowski/surge-sh-action@v1
with:
domain: ${{ env.url }}
Comment on lines +39 to +46

echo "pr_number=$pr_number" | tee -a "$GITHUB_OUTPUT"
echo "url=https://$pr_number-pr-hexo.surge.sh/" | tee -a "$GITHUB_OUTPUT"

- name: Publish flamegraph to ${{ steps.get_info.outputs.url }}
uses: dswistowski/surge-sh-action@v1
with:
domain: ${{ steps.get_info.outputs.url }}
profiling-preview:
needs: profiling
if: ${{ github.event_name != 'pull_request' }}
runs-on: ubuntu-slim
if:
${{ github.event_name == 'workflow_run' && github.event.workflow_run.event
== 'pull_request' && github.event.workflow_run.conclusion == 'success' }}
runs-on: ubuntu-slim
steps:
- uses: actions/download-artifact@v8
with:
pattern: "comment-*"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

2 participants