ADRs
ADR-0024: Benchmark data publishing model
Architecture decision record 0024.
ADR-0024: Benchmark data publishing model
- Status: Accepted
- Date: 2026-07-04
- Authors: IBEX Harness team
Context
The benchmark workflow collects proxy load and Go microbenchmark results, validates them, and produces benchmark-data.json for the docs dashboard. An earlier design pushed benchmark JSON commits onto contributor PR branches using GITHUB_TOKEN. That caused:
- CI cascade noise — every bot push emitted
pull_requestsynchronizeand re-ran CI, CodeQL, Semgrep, and semantic PR checks. - Integrity bypass risk — trusting git author email to skip comparison allowed spoofing via local commit metadata.
- Token exposure —
persist-credentials: trueon PR head checkouts left credentials available to later script steps. - Rerun loops — cumulative PR path filters and merge-ref diffs re-triggered full benchmark collection after data-only commits.
The docs site embeds benchmark JSON at build time (docs/app/src/lib/benchmarks/published-data.ts). Preview on PRs must show fresh benchmark results without mutating the PR branch.
Decision
1) No in-PR branch writes from ibex-harness workflows
- Remove
publish-benchmark-data(PR branch commits) from.github/workflows/benchmark.yml. - PR benchmark results live in the
benchmark-dataworkflow artifact and PR comments only. docs-buildin.github/workflows/ci.ymloverlays the latest successful artifact for the PR head SHA before building docs.
2) Integrity checks without spoofable trust
verify_pr_benchmark_integrity.shfetches the base ref with an explicit one-shot token header; checkout usespersist-credentials: false.- If
benchmark-data.jsonis unchanged from base, verification passes (artifact is the PR preview source). - If the branch claims the current PR in committed JSON (
pr_numbermatch), committed data must equal the workflow artifact (compare_pr_benchmark_json.py). - Do not trust git author email for bypass decisions.
3) Latest-commit benchmark gate
detect-benchmark-triggerin.github/workflows/benchmark.ymlchecks outpull_request.head.shawithfetch-depth: 2and diffsHEAD~1..HEADso data-only commits do not re-run collection.
4) Post-merge publishing via external GitHub App (follow-up)
- Long-term publishing to
mainmoves to a separate repository (ibex-benchmark-bot) running a dedicated GitHub App. - Interim:
open-benchmark-data-prin.github/workflows/benchmark.ymlon schedule /workflow_dispatchagainstmainremains until the app replaces it.
5) run_number semantics
run_numberstoresGITHUB_RUN_NUMBER, not the workflow run ID.validate_published_data.pyrejects rows whererun_numberequals the numeric ID embedded inrun_url.
Consequences
- PR branches stay free of automated benchmark commits; CI runs once per human code push.
- Docs preview on PRs depends on a successful Benchmarks workflow artifact (falls back to committed JSON if none yet).
- Fork PRs continue to use artifact download only; no branch writes.
- A follow-up milestone implements the external app for verified post-merge PRs to
main.
Alternatives considered
| Alternative | Why rejected |
|---|---|
| In-PR publish with author-email bypass | Spoofable; caused rerun loops |
[skip ci] in bot commit messages | Does not stop all workflows; weak merge-gate story |
ALLOW_PUBLISH_RECONCILE on mismatch | Masks stale bot JSON; removed with in-PR publish |
Keep publishing with github.actor skip only | Still mutates PR branch; github.actor is forgeable (Sonar S8232) |
References
- PR #177 benchmark pre-PR pipeline work
ibex-benchmark-bot— external app specification and implementation (follow-up)
Was this page helpful?
Edit on GitHub
Last updated on