ci-cost-diff-action 0.1.0

package/src/action.js

@@ -0,0 +1,533 @@
+import { appendFileSync, readFileSync } from "node:fs";
+import { pathToFileURL } from "node:url";
+import { findUpdatableComments, validIssueCommentId } from "./comments.js";
+import { analyzeJobs, diffSummaries, evaluateThresholds } from "./cost.js";
+import { findBaselineRun, getAuthenticatedUser, getWorkflowRun, listJobsForRun, createIssueComment, deleteIssueComment, listIssueComments, updateIssueComment } from "./github.js";
+import { getInput, parseBoolean, parseChoice, parseJsonObject, parseList, parseNonNegativeNumber, parsePositiveInteger, resolvedInput } from "./inputs.js";
+import { findJobByWorkflowOrCheckRunId } from "./jobs.js";
+import { commentMarker, renderReport } from "./report.js";
+
+const POST_CREATE_CLEANUP_ATTEMPTS = 3;
+const POST_CREATE_CLEANUP_DELAY_MS = 250;
+
+export async function main() {
+  const token = readRequiredToken();
+  const context = await readRunContext(token);
+  const inputs = readActionInputs();
+  const baselineRun = await readBaselineRun({ token, context, inputs });
+  const { currentJobs, baselineJobs } = await readWorkflowJobs({ token, context, inputs, baselineRun });
+  const { current, baseline, diff } = analyzeWorkflowJobs({ currentJobs, baselineJobs, inputs });
+  const thresholdResult = evaluateThresholds(diff, inputs.thresholds);
+  const runnerRateWarnings = collectRunnerRateWarnings({ current, baseline });
+
+  applyRunnerRateGates({ thresholdResult, runnerRateWarnings, inputs });
+
+  const marker = commentMarker(commentScope(context, inputs, currentJobs));
+  const report = renderReport({
+    diff,
+    currentRun: context.currentRun,
+    baselineRun,
+    thresholdResult,
+    unknownJobs: runnerRateWarnings.unknownJobs,
+    ambiguousRateJobs: runnerRateWarnings.ambiguousRateJobs,
+    marker
+  });
+
+  writeSummary(report);
+  setOutputs(diff, thresholdResult);
+  await maybeWritePrComment({
+    token,
+    context,
+    report,
+    marker,
+    mode: inputs.commentMode,
+    allowForkPrComments: inputs.allowForkPrComments
+  });
+
+  if (thresholdResult.conclusion === "fail") {
+    throw new Error(`CI cost budget failed: ${thresholdResult.failures.join("; ")}`);
+  }
+}
+
+function readRequiredToken() {
+  const token = getInput("github-token");
+  if (!token) {
+    throw new Error("Missing github-token input.");
+  }
+
+  return token;
+}
+
+async function readRunContext(token) {
+  const { owner, repo } = parseRepository(process.env.GITHUB_REPOSITORY);
+  const event = readEvent();
+  const runId = getInput("run-id") || process.env.GITHUB_RUN_ID;
+  if (!runId) {
+    throw new Error("Missing run id. Set run-id or run inside GitHub Actions.");
+  }
+
+  const currentRun = await getWorkflowRun({ token, owner, repo, runId });
+  return {
+    owner,
+    repo,
+    event,
+    runId,
+    currentRun,
+    workflowId: getInput("workflow-id") || String(currentRun.workflow_id),
+    baselineBranch: resolveBaselineBranch(event, currentRun)
+  };
+}
+
+export function resolveBaselineBranch(event, currentRun) {
+  return getInput("baseline-branch")
+    || event.pull_request?.base?.ref
+    || event.repository?.default_branch
+    || currentRun.head_branch;
+}
+
+function readActionInputs() {
+  return {
+    runIdOverride: Boolean(getInput("run-id")),
+    baselineEvent: getInput("baseline-event"),
+    lookbackRuns: parsePositiveInteger(getInput("lookback-runs"), 20, "lookback-runs"),
+    jobFilter: parseChoice(getInput("job-filter"), ["all", "latest"], "all", "job-filter"),
+    excludePatterns: parseList(getInput("exclude-jobs")),
+    currentJobId: resolvedInput(getInput("current-job-id")),
+    includeCurrentJob: parseBoolean(getInput("include-current-job"), false),
+    runnerRates: parseJsonObject(getInput("runner-rates"), {}, "runner-rates"),
+    failOnUnknownRunner: parseBoolean(getInput("fail-on-unknown-runner"), false),
+    failOnAmbiguousRunnerRate: parseBoolean(getInput("fail-on-ambiguous-runner-rate"), false),
+    commentMode: parseChoice(getInput("comment-mode"), ["off", "update", "always"], "update", "comment-mode"),
+    allowForkPrComments: parseBoolean(getInput("allow-fork-pr-comments"), false),
+    thresholds: {
+      maxIncreasePercent: parseNonNegativeNumber(getInput("fail-on-increase-percent"), undefined, "fail-on-increase-percent"),
+      maxIncreaseUsd: parseNonNegativeNumber(getInput("fail-on-increase-usd"), undefined, "fail-on-increase-usd"),
+      maxTotalUsd: parseNonNegativeNumber(getInput("fail-on-total-usd"), undefined, "fail-on-total-usd")
+    }
+  };
+}
+
+export function commentScope(context, inputs = {}, currentJobs = []) {
+  return [context.currentRun.workflow_id ?? context.workflowId, reportingJobScope(inputs, currentJobs), process.env.GITHUB_ACTION]
+    .filter(Boolean)
+    .join("/");
+}
+
+function reportingJobScope(inputs, currentJobs) {
+  const currentActionJob = inputs.currentJobId ? findJobByWorkflowOrCheckRunId(currentJobs, inputs.currentJobId) : null;
+  return currentActionJob?.name || process.env.GITHUB_JOB;
+}
+
+async function readBaselineRun({ token, context, inputs }) {
+  return findBaselineRun({
+    token,
+    owner: context.owner,
+    repo: context.repo,
+    workflowId: context.workflowId,
+    branch: context.baselineBranch,
+    event: inputs.baselineEvent,
+    limit: inputs.lookbackRuns,
+    currentRunId: context.runId,
+    currentRunCreatedAt: context.currentRun.created_at,
+    currentRunStartedAt: context.currentRun.run_started_at,
+    currentRunNumber: context.currentRun.run_number
+  });
+}
+
+async function readWorkflowJobs({ token, context, inputs, baselineRun }) {
+  const currentJobs = await listJobsForRun({ token, owner: context.owner, repo: context.repo, runId: context.runId, filter: inputs.jobFilter });
+  const baselineJobs = baselineRun
+    ? await listJobsForRun({ token, owner: context.owner, repo: context.repo, runId: baselineRun.id, filter: inputs.jobFilter })
+    : [];
+
+  return { currentJobs, baselineJobs };
+}
+
+function analyzeWorkflowJobs({ currentJobs, baselineJobs, inputs }) {
+  const { currentExclusions, baselineExclusions } = resolveJobExclusions({ currentJobs, inputs });
+  const current = analyzeJobs(currentJobs, {
+    ...currentExclusions,
+    rateOverrides: inputs.runnerRates
+  });
+  const baseline = analyzeJobs(baselineJobs, {
+    ...baselineExclusions,
+    rateOverrides: inputs.runnerRates
+  });
+
+  return {
+    current,
+    baseline,
+    diff: diffSummaries(current, baseline)
+  };
+}
+
+export function resolveJobExclusions({ currentJobs, inputs }) {
+  const currentActionJob = inputs.currentJobId ? findJobByWorkflowOrCheckRunId(currentJobs, inputs.currentJobId) : null;
+
+  if (inputs.includeCurrentJob) {
+    return jobExclusionOptions(inputs.excludePatterns, [], [], incompleteReportingJobNames(currentActionJob, currentJobs, inputs));
+  }
+
+  const excludeJobIds = currentActionJob ? [currentActionJob.id] : [];
+  const currentExcludeNames = currentActionJob?.name ? [currentActionJob.name] : [];
+  const baselineExcludeNames = baselineReportingJobNames(currentActionJob, currentJobs, inputs);
+
+  return jobExclusionOptions(inputs.excludePatterns, excludeJobIds, currentExcludeNames, baselineExcludeNames);
+}
+
+function jobExclusionOptions(excludePatterns, excludeJobIds, currentExcludeNames, baselineExcludeNames) {
+  const currentExclusions = { excludePatterns, excludeJobIds };
+  if (currentExcludeNames.length > 0) {
+    currentExclusions.excludeNames = currentExcludeNames;
+  }
+
+  return {
+    currentExclusions,
+    baselineExclusions: { excludePatterns, excludeNames: baselineExcludeNames }
+  };
+}
+
+function baselineReportingJobNames(currentActionJob, currentJobs, inputs) {
+  if (currentActionJob?.name) {
+    return [currentActionJob.name];
+  }
+
+  const incompleteNames = incompleteJobNames(currentJobs);
+  if (incompleteNames.length > 0) {
+    console.warn("::warning::current-job-id was not provided or did not match a workflow job. Excluding in-progress current job names from the baseline; pass current-job-id for precise self-exclusion.");
+    return incompleteNames;
+  }
+
+  return shouldUseFallbackReportingJobName(inputs) ? fallbackReportingJobNames() : [];
+}
+
+function shouldUseFallbackReportingJobName(inputs) {
+  return !inputs.runIdOverride;
+}
+
+function incompleteReportingJobNames(currentActionJob, currentJobs, inputs) {
+  if (currentActionJob?.name) {
+    return isIncompleteJob(currentActionJob) ? [currentActionJob.name] : [];
+  }
+
+  const incompleteNames = incompleteJobNames(currentJobs);
+  return incompleteNames.length > 0 || !shouldUseFallbackReportingJobName(inputs)
+    ? incompleteNames
+    : fallbackReportingJobNames();
+}
+
+function incompleteJobNames(jobs) {
+  return [...new Set(jobs
+    .filter(isIncompleteJob)
+    .map((job) => job.name))];
+}
+
+function isIncompleteJob(job) {
+  return Boolean(job?.started_at && !job?.completed_at && job.name);
+}
+
+function fallbackReportingJobNames() {
+  if (!process.env.GITHUB_JOB) {
+    return [];
+  }
+
+  console.warn("::warning::current-job-id was not provided or did not match a workflow job. Falling back to GITHUB_JOB for baseline self-exclusion; use exclude-jobs if the reporting job has a custom display name.");
+  return [process.env.GITHUB_JOB];
+}
+
+export function collectRunnerRateWarnings({ current, baseline }) {
+  const currentUnknownJobs = current.jobs.filter((job) => job.rate === null);
+  const baselineUnknownJobs = baseline.jobs.filter((job) => job.rate === null);
+  const currentAmbiguousRateJobs = current.jobs.filter((job) => job.rateWarning);
+  const baselineAmbiguousRateJobs = baseline.jobs.filter((job) => job.rateWarning);
+
+  return {
+    currentUnknownJobs,
+    currentAmbiguousRateJobs,
+    unknownJobs: [
+      ...withRunLabel(currentUnknownJobs, "current"),
+      ...withRunLabel(baselineUnknownJobs, "baseline")
+    ],
+    ambiguousRateJobs: [
+      ...withRunLabel(currentAmbiguousRateJobs, "current"),
+      ...withRunLabel(baselineAmbiguousRateJobs, "baseline")
+    ]
+  };
+}
+
+export function applyRunnerRateGates({ thresholdResult, runnerRateWarnings, inputs }) {
+  if (inputs.failOnUnknownRunner && runnerRateWarnings.currentUnknownJobs.length > 0) {
+    thresholdResult.conclusion = "fail";
+    thresholdResult.failures.push(`${runnerRateWarnings.currentUnknownJobs.length} current job(s) used unknown runner rates.`);
+  }
+
+  if (inputs.failOnAmbiguousRunnerRate && runnerRateWarnings.currentAmbiguousRateJobs.length > 0) {
+    thresholdResult.conclusion = "fail";
+    thresholdResult.failures.push(`${runnerRateWarnings.currentAmbiguousRateJobs.length} current job(s) used ambiguous runner rates.`);
+  }
+}
+
+async function maybeWritePrComment({ token, context, report, marker, mode, allowForkPrComments }) {
+  const prNumber = context.event.pull_request?.number;
+  if (!prNumber) {
+    return;
+  }
+
+  if (mode === "off") {
+    return;
+  }
+
+  if (shouldSkipForkPrComment(context.event, allowForkPrComments)) {
+    console.warn("::warning::Skipping pull request comment because fork pull_request workflows receive a read-only GITHUB_TOKEN. Pass allow-fork-pr-comments with a write-capable custom token to opt in. The report is still available in the step summary.");
+    return;
+  }
+
+  try {
+    await writePrComment({
+      token,
+      owner: context.owner,
+      repo: context.repo,
+      issueNumber: prNumber,
+      body: report,
+      marker,
+      mode
+    });
+  } catch (error) {
+    console.warn(`::warning::Could not write pull request comment: ${escapeAnnotation(String(error.message ?? error))}`);
+  }
+}
+
+export function shouldSkipForkPrComment(event, allowForkPrComments = false) {
+  return !allowForkPrComments && isReadOnlyForkPullRequest(event);
+}
+
+export function parseRepository(value) {
+  const parts = String(value ?? "").split("/");
+  const [owner, repo] = parts;
+  if (parts.length !== 2 || !owner || !repo) {
+    throw new Error("GITHUB_REPOSITORY must be set as owner/repo.");
+  }
+
+  return { owner, repo };
+}
+
+export function readEvent() {
+  const eventPath = process.env.GITHUB_EVENT_PATH;
+  if (!eventPath) {
+    return {};
+  }
+
+  try {
+    return JSON.parse(readFileSync(eventPath, "utf8"));
+  } catch (error) {
+    console.warn(`::warning::Could not read GitHub event payload: ${escapeAnnotation(String(error.message ?? error))}`);
+    return {};
+  }
+}
+
+export function isReadOnlyForkPullRequest(event) {
+  if (isPullRequestTargetEvent()) {
+    return false;
+  }
+
+  return isForkPullRequestEvent(event) && hasReadOnlyForkToken(headRepositoryName(event), baseRepositoryName(event));
+}
+
+function isPullRequestTargetEvent() {
+  return process.env.GITHUB_EVENT_NAME === "pull_request_target";
+}
+
+function headRepositoryName(event) {
+  return event.pull_request?.head?.repo?.full_name ?? "";
+}
+
+function baseRepositoryName(event) {
+  return event.repository?.full_name ?? "";
+}
+
+function isForkPullRequestEvent(event) {
+  return Boolean(event.pull_request);
+}
+
+function hasReadOnlyForkToken(headRepo, baseRepo) {
+  return Boolean(baseRepo && (!headRepo || headRepo !== baseRepo));
+}
+
+function writeSummary(markdown) {
+  if (process.env.GITHUB_STEP_SUMMARY) {
+    appendFileSync(process.env.GITHUB_STEP_SUMMARY, markdown);
+  } else {
+    console.log(markdown);
+  }
+}
+
+export function setOutputs(diff, thresholdResult) {
+  setOutput("current-cost", diff.currentCost.toFixed(4));
+  setOutput("baseline-cost", diff.baselineCost.toFixed(4));
+  setOutput("delta-cost", diff.deltaCost.toFixed(4));
+  setOutput("delta-percent", diff.deltaPercent === null ? "" : diff.deltaPercent.toFixed(2));
+  setOutput("current-minutes", String(diff.currentMinutes));
+  setOutput("baseline-minutes", String(diff.baselineMinutes));
+  setOutput("conclusion", thresholdResult.conclusion);
+}
+
+function setOutput(name, value) {
+  if (!process.env.GITHUB_OUTPUT) {
+    console.log(`${name}=${value}`);
+    return;
+  }
+
+  const delimiter = `ci_cost_diff_${name}_${Date.now()}`;
+  appendFileSync(process.env.GITHUB_OUTPUT, `${name}<<${delimiter}\n${value}\n${delimiter}\n`);
+}
+
+function withRunLabel(jobs, runLabel) {
+  return jobs.map((job) => ({ ...job, runLabel }));
+}
+
+export async function writePrComment({
+  token,
+  owner,
+  repo,
+  issueNumber,
+  body,
+  marker = commentMarker(),
+  mode
+}) {
+  if (mode === "always") {
+    await createIssueComment({ token, owner, repo, issueNumber, body });
+    return;
+  }
+
+  await writeUpdateModePrComment({ token, owner, repo, issueNumber, body, marker });
+}
+
+async function writeUpdateModePrComment({ token, owner, repo, issueNumber, body, marker }) {
+  const comments = await listIssueComments({ token, owner, repo, issueNumber });
+  const authenticatedUser = await getAuthenticatedUser({ token }).catch(() => null);
+  const matches = findUpdatableComments(comments, marker, authenticatedUser);
+  const existing = matches.at(-1) ?? null;
+
+  if (await updateExistingCommentIfPresent({ token, owner, repo, body, existing, duplicates: matches.slice(0, -1) })) {
+    return;
+  }
+
+  if (shouldSkipDuplicateAppMarkerComment(comments, marker, authenticatedUser)) {
+    console.warn("::warning::Could not resolve token identity, so the existing GitHub App marker comment was left unchanged to avoid creating duplicates.");
+    return;
+  }
+
+  const created = await createIssueComment({ token, owner, repo, issueNumber, body });
+  await cleanupCreatedCommentDuplicates({ token, owner, repo, issueNumber, marker, authenticatedUser, createdCommentId: created?.id });
+}
+
+async function updateExistingCommentIfPresent({ token, owner, repo, body, existing, duplicates }) {
+  if (!existing || !await updateExistingComment({ token, owner, repo, commentId: existing.id, body })) {
+    return false;
+  }
+
+  await deleteDuplicateComments({ token, owner, repo, comments: duplicates });
+  return true;
+}
+
+async function updateExistingComment({ token, owner, repo, commentId, body }) {
+  try {
+    await updateIssueComment({ token, owner, repo, commentId, body });
+    return true;
+  } catch (error) {
+    if (isGitHubNotFoundError(error)) {
+      return false;
+    }
+
+    throw error;
+  }
+}
+
+function isGitHubNotFoundError(error) {
+  return / failed with 404:/.test(String(error?.message ?? error));
+}
+
+function shouldSkipDuplicateAppMarkerComment(comments, marker, authenticatedUser) {
+  return !authenticatedUser?.login && hasAppMarkerComment(comments, marker);
+}
+
+function hasAppMarkerComment(comments, marker) {
+  return comments.some((comment) => Boolean(validIssueCommentId(comment.id))
+    && comment.body?.includes(marker)
+    && isAppAuthoredComment(comment));
+}
+
+function isAppAuthoredComment(comment) {
+  return Boolean(String(comment.performed_via_github_app?.slug ?? "").trim())
+    || comment.user?.login === "github-actions[bot]";
+}
+
+async function cleanupCreatedCommentDuplicates({ token, owner, repo, issueNumber, marker, authenticatedUser, createdCommentId }) {
+  if (!authenticatedUser?.login) {
+    return;
+  }
+
+  const createdId = validIssueCommentId(createdCommentId);
+
+  for (let attempt = 1; attempt <= POST_CREATE_CLEANUP_ATTEMPTS; attempt += 1) {
+    const comments = await listIssueComments({ token, owner, repo, issueNumber });
+    const matches = findUpdatableComments(comments, marker, authenticatedUser);
+    const duplicates = postCreateDuplicateComments(matches, createdId);
+    await deleteDuplicateComments({ token, owner, repo, comments: duplicates });
+
+    if (duplicates.length > 0 || attempt === POST_CREATE_CLEANUP_ATTEMPTS) {
+      return;
+    }
+
+    await sleep(POST_CREATE_CLEANUP_DELAY_MS);
+  }
+}
+
+function postCreateDuplicateComments(matches, createdId) {
+  if (createdId) {
+    return matches.filter((comment) => validIssueCommentId(comment.id) !== createdId);
+  }
+
+  return matches.slice(0, -1);
+}
+
+async function deleteDuplicateComments({ token, owner, repo, comments }) {
+  for (const comment of comments) {
+    const commentId = validIssueCommentId(comment.id);
+    if (!commentId) {
+      continue;
+    }
+
+    try {
+      await deleteIssueComment({ token, owner, repo, commentId });
+    } catch (error) {
+      console.warn(`::warning::Could not delete duplicate pull request comment ${commentId}: ${escapeAnnotation(String(error.message ?? error))}`);
+    }
+  }
+}
+
+if (isActionEntrypoint()) {
+  main().catch(handleMainError);
+}
+
+function isActionEntrypoint() {
+  return process.argv[1]
+    ? pathToFileURL(process.argv[1]).href === import.meta.url
+    : false;
+}
+
+function handleMainError(error) {
+  console.error(`::error::${escapeAnnotation(String(error.message ?? error))}`);
+  process.exitCode = 1;
+}
+
+function escapeAnnotation(value) {
+  return value
+    .replace(/%/g, "%25")
+    .replace(/\r/g, "%0D")
+    .replace(/\n/g, "%0A");
+}
+
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}

package/src/comments.js

@@ -0,0 +1,78 @@
+/**
+ * Minimal GitHub user shape used for comment ownership checks.
+ * @typedef {object} GitHubUser
+ * @property {string} [login] GitHub login.
+ */
+
+/**
+ * Minimal GitHub App shape used for Actions-authored comments.
+ * @typedef {object} GitHubApp
+ * @property {string} [slug] GitHub App slug.
+ */
+
+/**
+ * Issue comment fields used when replacing an existing report comment.
+ * @typedef {object} IssueComment
+ * @property {string|number} [id] Issue comment id.
+ * @property {string} [body] Comment body.
+ * @property {GitHubUser} [user] Comment author.
+ * @property {GitHubApp} [performed_via_github_app] App that created the comment.
+ */
+
+/**
+ * Finds the newest marker comment that belongs to the authenticated author.
+ * When the token identity cannot be resolved, no existing comment is considered
+ * safe to update because the public marker alone is not an ownership proof.
+ * @param {IssueComment[]} comments Issue comments from GitHub.
+ * @param {string} marker Stable marker embedded in report comments.
+ * @param {GitHubUser|null} [authenticatedUser=null] Authenticated token user, when available.
+ * @returns {IssueComment|null} Newest updatable comment, or null.
+ */
+export function findUpdatableComment(comments, marker, authenticatedUser = null) {
+  return findUpdatableComments(comments, marker, authenticatedUser).at(-1) ?? null;
+}
+
+/**
+ * Finds all marker comments that are safe for this action run to update.
+ * @param {IssueComment[]} comments Issue comments from GitHub.
+ * @param {string} marker Stable marker embedded in report comments.
+ * @param {GitHubUser|null} [authenticatedUser=null] Authenticated token user, when available.
+ * @returns {IssueComment[]} Updatable comments in API order.
+ */
+export function findUpdatableComments(comments, marker, authenticatedUser = null) {
+  return comments.filter((comment) => isUpdatableComment(comment, marker, authenticatedUser));
+}
+
+/**
+ * Normalizes a usable GitHub issue comment id.
+ * @param {unknown} value Raw comment id.
+ * @returns {string} Numeric id string, or an empty string when unusable.
+ */
+export function validIssueCommentId(value) {
+  const id = String(value ?? "").trim();
+  return /^[0-9]+$/.test(id) ? id : "";
+}
+
+/**
+ * Checks whether a comment is safe for this action run to update.
+ * @param {IssueComment} comment Issue comment from GitHub.
+ * @param {string} marker Stable marker embedded in report comments.
+ * @param {GitHubUser|null} [authenticatedUser=null] Authenticated token user, when available.
+ * @returns {boolean} True when the comment has the marker and matching author.
+ */
+export function isUpdatableComment(comment, marker, authenticatedUser = null) {
+  return Boolean(validIssueCommentId(comment.id))
+    && commentHasMarker(comment, marker)
+    && commentAuthorMatches(comment, authenticatedUser);
+}
+
+function commentHasMarker(comment, marker) {
+  return Boolean(comment.body?.includes(marker));
+}
+
+function commentAuthorMatches(comment, authenticatedUser) {
+  const authorLogin = comment.user?.login;
+  const authenticatedLogin = authenticatedUser?.login;
+
+  return Boolean(authenticatedLogin && authorLogin === authenticatedLogin);
+}