Skip to content

chore: More secure hotpath CI setup#170

Merged
load1n9 merged 1 commit intotryandromeda:mainfrom
pawurb:hotpath_security
Oct 20, 2025
Merged

chore: More secure hotpath CI setup#170
load1n9 merged 1 commit intotryandromeda:mainfrom
pawurb:hotpath_security

Conversation

@pawurb
Copy link
Contributor

@pawurb pawurb commented Oct 19, 2025

Hi, I've read up that checking out PR codebase in pull_request_target context can be insecure. Instead it's better to split it into two separate pull_request and workflow_run workflows. Effect is the same.

@github-actions
Copy link

github-actions bot commented Oct 19, 2025
edited
Loading

Performance Comparison mainhotpath_security

Total Elapsed Time: 41.93ms → 40.03ms (-4.5%)

Profiling Mode: timing - Execution duration of functions.

+-------------------------------------+----------------------+---------------------------------+---------------------------------+----------------------------------+--------------------------------+--------------------------------+------------------------------+
| Function                            | Calls                | Avg                             | P50                             | P95                              | P99                            | Total                          | % Total                      |
+-------------------------------------+----------------------+---------------------------------+---------------------------------+----------------------------------+--------------------------------+--------------------------------+------------------------------+
| andromeda::main                     | 1 → 1 (+0.0%)        | 41.28ms → 39.39ms (-4.6%)       | 41.29ms → 39.42ms (-4.5%)       | 41.29ms → 39.42ms (-4.5%)        | 41.29ms → 39.42ms (-4.5%)      | 41.28ms → 39.39ms (-4.6%)      | 100.00% → 100.00% (+0.0%)    |
+-------------------------------------+----------------------+---------------------------------+---------------------------------+----------------------------------+--------------------------------+--------------------------------+------------------------------+
| andromeda::run_main                 | 1 → 1 (+0.0%)        | 41.26ms → 39.37ms (-4.6%)       | 41.29ms → 39.39ms (-4.6%)       | 41.29ms → 39.39ms (-4.6%)        | 41.29ms → 39.39ms (-4.6%)      | 41.26ms → 39.37ms (-4.6%)      | 99.94% → 99.94% (+0.0%)      |
+-------------------------------------+----------------------+---------------------------------+---------------------------------+----------------------------------+--------------------------------+--------------------------------+------------------------------+
| run::run                            | 1 → 1 (+0.0%)        | 40.87ms → 38.97ms (-4.6%)       | 40.89ms → 38.99ms (-4.6%)       | 40.89ms → 38.99ms (-4.6%)        | 40.89ms → 38.99ms (-4.6%)      | 40.87ms → 38.97ms (-4.6%)      | 99.00% → 98.94% (-0.1%)      |
+-------------------------------------+----------------------+---------------------------------+---------------------------------+----------------------------------+--------------------------------+--------------------------------+------------------------------+
| run::create_runtime_files           | 1 → 1 (+0.0%)        | 40.86ms → 38.97ms (-4.6%)       | 40.86ms → 38.99ms (-4.6%)       | 40.86ms → 38.99ms (-4.6%)        | 40.86ms → 38.99ms (-4.6%)      | 40.86ms → 38.97ms (-4.6%)      | 98.98% → 98.92% (-0.1%)      |
+-------------------------------------+----------------------+---------------------------------+---------------------------------+----------------------------------+--------------------------------+--------------------------------+------------------------------+
| runtime::run                        | 1 → 1 (+0.0%)        | 23.05ms → 21.27ms (-7.7%)       | 23.05ms → 21.28ms (-7.7%)       | 23.05ms → 21.28ms (-7.7%)        | 23.05ms → 21.28ms (-7.7%)      | 23.05ms → 21.27ms (-7.7%)      | 55.83% → 54.00% (-3.3%)      |
+-------------------------------------+----------------------+---------------------------------+---------------------------------+----------------------------------+--------------------------------+--------------------------------+------------------------------+
| runtime::new                        | 1 → 1 (+0.0%)        | 16.41ms → 16.30ms (-0.7%)       | 16.41ms → 16.30ms (-0.6%)       | 16.41ms → 16.30ms (-0.6%)        | 16.41ms → 16.30ms (-0.6%)      | 16.41ms → 16.30ms (-0.7%)      | 39.74% → 41.37% (+4.1%)      |
+-------------------------------------+----------------------+---------------------------------+---------------------------------+----------------------------------+--------------------------------+--------------------------------+------------------------------+
| extension::load                     | 22 → 22 (+0.0%)      | 716.21µs → 712.49µs (-0.5%)     | 252.80µs → 246.27µs (-2.6%)     | 2.53ms → 2.55ms (+0.8%)          | 4.90ms → 4.80ms (-2.0%)        | 15.76ms → 15.67ms (-0.5%)      | 38.17% → 39.79% (+4.2%)      |
+-------------------------------------+----------------------+---------------------------------+---------------------------------+----------------------------------+--------------------------------+--------------------------------+------------------------------+
| console::internal_print             | 180 → 180 (+0.0%)    | 2.67µs → 2.40µs (-9.9%)         | 2.41µs → 2.48µs (+3.1%)         | 3.25µs → 3.17µs (-2.6%)          | 14.11µs → 4.64µs (-67.2%) 🚀   | 480.01µs → 432.51µs (-9.9%)    | 1.16% → 1.09% (-6.0%)        |
+-------------------------------------+----------------------+---------------------------------+---------------------------------+----------------------------------+--------------------------------+--------------------------------+------------------------------+
| recommended::recommended_extensions | 1 → 1 (+0.0%)        | 56.32µs → 52.59µs (-6.6%)       | 56.32µs → 52.61µs (-6.6%)       | 56.32µs → 52.61µs (-6.6%)        | 56.32µs → 52.61µs (-6.6%)      | 56.32µs → 52.59µs (-6.6%)      | 0.13% → 0.13% (+0.0%)        |
+-------------------------------------+----------------------+---------------------------------+---------------------------------+----------------------------------+--------------------------------+--------------------------------+------------------------------+
| console::get_group_indent           | 180 → 180 (+0.0%)    | 134.00ns → 85.00ns (-36.6%) 🚀  | 108.00ns → 81.00ns (-25.0%) 🚀  | 183.00ns → 131.00ns (-28.4%) 🚀  | 1.04µs → 353.00ns (-66.0%) 🚀  | 24.30µs → 15.45µs (-36.4%) 🚀  | 0.05% → 0.03% (-40.0%) 🚀    |
+-------------------------------------+----------------------+---------------------------------+---------------------------------+----------------------------------+--------------------------------+--------------------------------+------------------------------+

Generated with hotpath

📊 View Raw JSON Metrics

PR Metrics

{
  "hotpath_profiling_mode": "timing",
  "total_elapsed": 40031558,
  "description": "Execution duration of functions.",
  "caller_name": "andromeda::main",
  "output": {
    "extension::load": {
      "calls": 22,
      "avg": 712492,
      "p50": 246271,
      "p95": 2549759,
      "p99": 4800511,
      "total": 15674839,
      "percent_total": 3979
    },
    "runtime::run": {
      "calls": 1,
      "avg": 21273316,
      "p50": 21282815,
      "p95": 21282815,
      "p99": 21282815,
      "total": 21273316,
      "percent_total": 5400
    },
    "run::run": {
      "calls": 1,
      "avg": 38972422,
      "p50": 38993919,
      "p95": 38993919,
      "p99": 38993919,
      "total": 38972422,
      "percent_total": 9894
    },
    "runtime::new": {
      "calls": 1,
      "avg": 16298984,
      "p50": 16302079,
      "p95": 16302079,
      "p99": 16302079,
      "total": 16298984,
      "percent_total": 4137
    },
    "recommended::recommended_extensions": {
      "calls": 1,
      "avg": 52591,
      "p50": 52607,
      "p95": 52607,
      "p99": 52607,
      "total": 52591,
      "percent_total": 13
    },
    "console::internal_print": {
      "calls": 180,
      "avg": 2402,
      "p50": 2483,
      "p95": 3165,
      "p99": 4635,
      "total": 432509,
      "percent_total": 109
    },
    "andromeda::run_main": {
      "calls": 1,
      "avg": 39369002,
      "p50": 39387135,
      "p95": 39387135,
      "p99": 39387135,
      "total": 39369002,
      "percent_total": 9994
    },
    "andromeda::main": {
      "calls": 1,
      "avg": 39389891,
      "p50": 39419903,
      "p95": 39419903,
      "p99": 39419903,
      "total": 39389891,
      "percent_total": 10000
    },
    "run::create_runtime_files": {
      "calls": 1,
      "avg": 38967794,
      "p50": 38993919,
      "p95": 38993919,
      "p99": 38993919,
      "total": 38967794,
      "percent_total": 9892
    },
    "console::get_group_indent": {
      "calls": 180,
      "avg": 85,
      "p50": 81,
      "p95": 131,
      "p99": 353,
      "total": 15446,
      "percent_total": 3
    }
  }
}

Main Branch Metrics

{
  "hotpath_profiling_mode": "timing",
  "total_elapsed": 41934945,
  "description": "Execution duration of functions.",
  "caller_name": "andromeda::main",
  "output": {
    "run::create_runtime_files": {
      "calls": 1,
      "avg": 40859780,
      "p50": 40861695,
      "p95": 40861695,
      "p99": 40861695,
      "total": 40859780,
      "percent_total": 9898
    },
    "console::internal_print": {
      "calls": 180,
      "avg": 2666,
      "p50": 2409,
      "p95": 3251,
      "p99": 14111,
      "total": 480005,
      "percent_total": 116
    },
    "extension::load": {
      "calls": 22,
      "avg": 716207,
      "p50": 252799,
      "p95": 2529279,
      "p99": 4898815,
      "total": 15756568,
      "percent_total": 3817
    },
    "recommended::recommended_extensions": {
      "calls": 1,
      "avg": 56318,
      "p50": 56319,
      "p95": 56319,
      "p99": 56319,
      "total": 56318,
      "percent_total": 13
    },
    "andromeda::main": {
      "calls": 1,
      "avg": 41277949,
      "p50": 41287679,
      "p95": 41287679,
      "p99": 41287679,
      "total": 41277949,
      "percent_total": 10000
    },
    "console::get_group_indent": {
      "calls": 180,
      "avg": 134,
      "p50": 108,
      "p95": 183,
      "p99": 1039,
      "total": 24299,
      "percent_total": 5
    },
    "runtime::run": {
      "calls": 1,
      "avg": 23048910,
      "p50": 23052287,
      "p95": 23052287,
      "p99": 23052287,
      "total": 23048910,
      "percent_total": 5583
    },
    "run::run": {
      "calls": 1,
      "avg": 40865177,
      "p50": 40894463,
      "p95": 40894463,
      "p99": 40894463,
      "total": 40865177,
      "percent_total": 9900
    },
    "runtime::new": {
      "calls": 1,
      "avg": 16407698,
      "p50": 16408575,
      "p95": 16408575,
      "p99": 16408575,
      "total": 16407698,
      "percent_total": 3974
    },
    "andromeda::run_main": {
      "calls": 1,
      "avg": 41256642,
      "p50": 41287679,
      "p95": 41287679,
      "p99": 41287679,
      "total": 41256642,
      "percent_total": 9994
    }
  }
}

@marc2332 marc2332 requested a review from Copilot October 19, 2025 21:05

This comment was marked as spam.

Sign in to view

@load1n9 load1n9 merged commit 817cb41 into tryandromeda:main Oct 20, 2025
10 checks passed
@pawurb pawurb deleted the hotpath_security branch October 20, 2025 19:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marc2332 marc2332 marc2332 approved these changes

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@pawurb @marc2332 @load1n9