canonical · niemeyer · Mar 30, 2026 · Mar 6, 2026 · Mar 6, 2026 · Mar 6, 2026
diff --git a/.github/workflows/comment-perf.yaml b/.github/workflows/comment-perf.yaml
@@ -0,0 +1,33 @@
+name: Post benchmark result on pull request
+
+# This workflow can write to the PR. It must never execute PR author arbitrary
+# code to prevent from leaking secrets.
+# The pull_request_target trigger MUST NOT be used as it bypasses the
+# requirement of maintainer approval of a PR from an outside contributor and
+# it is executed in the context of the target repository, giving access to
+# secrets.
+on:
+  workflow_run:
+    workflows: ["Performance"]
+    types: [completed]
+
+jobs:
+  post-comment:
+    name: Post PR comment
+    runs-on: ubuntu-latest
+    if: ${{ github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'}}
+    steps:
+      - name: Download comment
+        uses: actions/download-artifact@v4
+        with:
+          name: benchmark-report
+          path: benchmark-report.txt
+          github-token: ${{ secrets.ROCKSBOT_CHISEL_PR_COMMENTER }}
+          run-id: ${{ github.event.workflow_run.id }}
+
+      - name: Post message to PR
+        uses: mshick/add-pr-comment@dd126dd8c253650d181ad9538d8b4fa218fc31e8
+        with:
+          message-path: benchmark-report.txt
+          issue: ${{ github.event.workflow_run.pull_requests[0].number }}
+          repo-token: ${{ secrets.ROCKSBOT_CHISEL_PR_COMMENTER }}
diff --git a/.github/workflows/performance.yaml b/.github/workflows/performance.yaml
@@ -1,7 +1,11 @@
 name: Performance
 
+# This workflow is decoupled from comment-perf.yaml to protect secrets.
+# The benchmark test executes the chisel binary, so the PR author could execute
+# arbitrary code in the runner. Hence, secrets MUST NOT be available to this
+# workflow.
 on:
-  pull_request_target:
+  pull_request:
     branches: [main]
 
 jobs:
@@ -37,8 +41,6 @@ jobs:
     runs-on: ubuntu-22.04
     needs: build
     name: Benchmark chisel info (chisel-releases 24.04)
-    permissions:
-      pull-requests: write
     steps:
       - name: Download base
         uses: actions/download-artifact@v4
@@ -68,7 +70,9 @@ jobs:
           chmod +x base head
           hyperfine --export-markdown "$msg_file" "./base info --release ./chisel-releases 'python3.12_core'" -n "BASE" "./head info --release ./chisel-releases 'python3.12_core'" -n "HEAD"
 
-      - name: Post message to PR
-        uses: mshick/add-pr-comment@v2
+      - name: Upload result
+        uses: actions/upload-artifact@v4
         with:
-          message-path: ${{ steps.benchmark.outputs.msg_file }}
+          name: benchmark-report
+          path: ${{ steps.benchmark.outputs.msg_file }}
+          retention-days: 1