zizmorcore
diff --git a/‎.github/ISSUE_TEMPLATE/bug-report.yml‎
Lines changed: 5 additions & 4 deletions b/‎.github/ISSUE_TEMPLATE/bug-report.yml‎
Lines changed: 5 additions & 4 deletions
diff --git a/‎.github/ISSUE_TEMPLATE/feature-request.yml‎
Lines changed: 5 additions & 2 deletions b/‎.github/ISSUE_TEMPLATE/feature-request.yml‎
Lines changed: 5 additions & 2 deletions
diff --git a/‎.github/workflows/benchmark-base.yml‎
Lines changed: 63 additions & 0 deletions b/‎.github/workflows/benchmark-base.yml‎
Lines changed: 63 additions & 0 deletions
diff --git a/‎.github/workflows/benchmark-pr-1p.yml‎
Lines changed: 79 additions & 0 deletions b/‎.github/workflows/benchmark-pr-1p.yml‎
Lines changed: 79 additions & 0 deletions
diff --git a/‎.github/workflows/release-binaries.yml‎
Lines changed: 1 addition & 0 deletions b/‎.github/workflows/release-binaries.yml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.github/workflows/release-docker.yml‎
Lines changed: 3 additions & 2 deletions b/‎.github/workflows/release-docker.yml‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎Makefile‎
Lines changed: 5 additions & 0 deletions b/‎Makefile‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 7 additions & 2 deletions b/‎README.md‎
Lines changed: 7 additions & 2 deletions
diff --git a/‎bench/.gitignore‎
Lines changed: 1 addition & 0 deletions b/‎bench/.gitignore‎
Lines changed: 1 addition & 0 deletions
@@ -10,7 +10,7 @@ body:
       value: |
         Thank you for taking the time to fill out this bug report!
 
-        Please read the following parts of this template carefully.
+        Please read the following parts of this template **very carefully**.
         Invalid or incomplete submissions take longer to triage,
         and may be given a lower priority or closed outright
         if not actionable.
@@ -27,9 +27,10 @@ body:
             the feature request form instead.
           required: true
         - label: >-
-            I have looked through the
-            [open issues](https://github.com/zizmorcore/zizmor/issues?q=is%3Aissue+is%3Aopen+)
-            for a duplicate report.
+            I have looked through both the
+            [open](https://github.com/zizmorcore/zizmor/issues?q=is%3Aissue+is%3Aopen+)
+            and [closed](https://github.com/zizmorcore/zizmor/issues?q=is%3Aissue%20state%3Aclosed)
+            issues for a duplicate report.
           required: true
 
   - type: input
 
@@ -10,7 +10,7 @@ body:
       value: |
         Thanks for making a `zizmor` feature request!
 
-        Please read the following parts of this form carefully.
+        Please read the following parts of this form **very carefully**.
         Invalid or incomplete submissions take longer to triage,
         and may be given a lower priority or closed outright
         if not actionable.
@@ -26,7 +26,10 @@ body:
             These must be filed via the bug report template.
           required: true
         - label: >-
-            I have looked through the open issues for a duplicate request.
+            I have looked through both the
+            [open](https://github.com/zizmorcore/zizmor/issues?q=is%3Aissue+is%3Aopen+)
+            and [closed](https://github.com/zizmorcore/zizmor/issues?q=is%3Aissue%20state%3Aclosed)
+            issues for a duplicate request.
           required: true
 
   - type: textarea
 
@@ -0,0 +1,63 @@
+# benchmark-base.yml: submit benchmarks to Bencher.
+#
+# This workflow provides baseline results, via the main branch.
+
+name: Benchmark baseline
+
+on:
+  push:
+    branches: [main]
+
+permissions: {}
+
+jobs:
+  benchmark_base_branch:
+    name: Continuous Benchmarking with Bencher
+    runs-on: ubuntu-latest
+
+    permissions:
+      checks: write
+
+    environment:
+      name: bencher
+      url: https://bencher.dev/console/projects/zizmor
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Set up Bencher
+        uses: bencherdev/bencher@f89d454e74a32a81b2eab29fe0afdb2316617342 # v0.5.3
+
+      - name: Installer hyperfine
+        run: |
+          sudo apt-get remove --purge man-db
+          sudo apt install -y hyperfine
+
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
+
+      - uses: astral-sh/setup-uv@7edac99f961f18b581bbd960d59d049f04c0002f # v6.4.1
+
+      # TODO: use actions/cache to cache the plan phase here.
+      - name: Run benchmarks
+        run: make bench
+
+      - name: Upload benchmark results
+        # Take each result file in bench/results/*.json and use
+        # `bencher run` to upload it.
+        run: |
+          for file in bench/results/*.json; do
+            bencher run \
+              --project zizmor \
+              --token "${BENCHER_API_TOKEN}" \
+              --branch main \
+              --testbed ubuntu-latest \
+              --err \
+              --adapter shell_hyperfine \
+              --github-actions "${GITHUB_TOKEN}" \
+              --file "${file}"
+          done
+        env:
+          BENCHER_API_TOKEN: ${{ secrets.BENCHER_API_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -0,0 +1,79 @@
+# benchmark-pr-1p.yml: submit benchmarks to Bencher.
+#
+# This workflow covers "first party" pull requests specifically,
+# i.e. those created from branches within the same repository.
+
+name: Benchmark PRs (first-party)
+
+on:
+  pull_request:
+    types: [opened, reopened, edited, synchronize]
+
+permissions: {}
+
+concurrency:
+  group: "benchmark-pr-1p-${{ github.event.pull_request.number }}"
+  cancel-in-progress: true
+
+jobs:
+  benchmark-pr-1p:
+    name: Continuous Benchmarking PRs with Bencher
+    runs-on: ubuntu-latest
+    if: >-
+      ${{
+        github.event_name == 'pull_request'
+          && github.event.pull_request.head.repo.full_name == github.repository
+          && !contains(github.event.pull_request.labels.*.name, 'no-benchmark')
+      }}
+
+    permissions:
+      pull-requests: write
+
+    environment:
+      name: bencher
+      url: https://bencher.dev/console/projects/zizmor
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Set up Bencher
+        uses: bencherdev/bencher@f89d454e74a32a81b2eab29fe0afdb2316617342 # v0.5.3
+
+      - name: Installer hyperfine
+        run: |
+          sudo apt-get remove --purge man-db
+          sudo apt install -y hyperfine
+
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
+
+      - uses: astral-sh/setup-uv@7edac99f961f18b581bbd960d59d049f04c0002f # v6.4.1
+
+      # TODO: use actions/cache to cache the plan phase here.
+      - name: Run benchmarks
+        run: make bench
+
+      - name: Upload benchmark results
+        # Take each result file in bench/results/*.json and use
+        # `bencher run` to upload it.
+        run: |
+          for file in bench/results/*.json; do
+            bencher run \
+              --project zizmor \
+              --token "${BENCHER_API_TOKEN}" \
+              --branch "${GITHUB_HEAD_REF}" \
+              --start-point "${GITHUB_BASE_REF}" \
+              --start-point-hash "${PULL_REQUEST_BASE_SHA}" \
+              --start-point-clone-thresholds \
+              --start-point-reset \
+              --testbed ubuntu-latest \
+              --err \
+              --adapter shell_hyperfine \
+              --github-actions "${GITHUB_TOKEN}" \
+              --file "${file}"
+          done
+        env:
+          BENCHER_API_TOKEN: ${{ secrets.BENCHER_API_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PULL_REQUEST_BASE_SHA: ${{ github.event.pull_request.base.sha }}
@@ -35,6 +35,7 @@ jobs:
       - name: Rust toolchain and target information
         run: |
           rustup show
+        shell: bash
 
       - name: Install Rust target for ${{ matrix.target }}
         run: rustup target add "${TARGET}"
 
@@ -4,11 +4,11 @@ on:
   workflow_dispatch:
     inputs:
       version:
-        description: 'The version of zizmor to build against'
+        description: "The version of zizmor to build against"
         required: true
 
       latest:
-        description: 'Whether to tag the image as latest'
+        description: "Whether to tag the image as latest"
         required: false
         default: true
         type: boolean
@@ -83,6 +83,7 @@ jobs:
           touch "${RUNNER_TEMP}/digests/${digest#sha256:}"
         env:
           DIGEST: ${{ steps.build.outputs.digest }}
+        shell: bash
 
       - name: Upload digest
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
 
@@ -44,3 +44,8 @@ crates/zizmor/data/codeql-injection-sinks.json: support/codeql-injection-sinks.p
 .PHONY: pinact
 pinact:
 	pinact run --update --verify
+
+
+.PHONY: bench
+bench:
+	uv run bench/benchmark.py
@@ -84,13 +84,18 @@ Trail of Bits
 Tenki Cloud
 </a>
 </td>
+<td align="center" valign="top">
+<a href="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/ariccio">
+Alexander Riccio
+</a>
+</td>
 </tr>
 </tbody>
 </table>
 <!-- @@end-sponsors@@ -->
 
-Is your name missing above? Consider becoming one of our sponsors through
-one of the following:
+Want to see your name or logo above? Consider becoming a sponsor
+through one of the following:
 
 - [GitHub Sponsors](https://github.com/sponsors/woodruffw) (preferred)
 - [thanks.dev](https://thanks.dev/u/gh/woodruffw)
 
@@ -0,0 +1 @@
+results/