bench: add workflow to build benchmark container (#484)

* add containerfile for benchmark image

Signed-off-by: Spencer Schrock <[email protected]>

* add benchmark trigger workflow

This is modeled after the OpenSSF Scorecard `scdiff` workflow, which
looks for comments from repository members. This requires the developer
triggering the benchmark to have their membership in the Sigstore
organization public.

This approach gains flexibility compared to a label trigger as
additional arguments can be provided after the /bench command.

Signed-off-by: Spencer Schrock <[email protected]>

* add a timing wrapper around model serialization

Signed-off-by: Spencer Schrock <[email protected]>

* add runner script and job configuration

Signed-off-by: Spencer Schrock <[email protected]>

* use generated models instead of real models

Signed-off-by: Spencer Schrock <[email protected]>

* matrix small/large model with few/many files

Signed-off-by: Spencer Schrock <[email protected]>

* add workflow_dispatch trigger

Signed-off-by: Spencer Schrock <[email protected]>

* add terminating newline

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>

Author: spencerschrock

.github/workflows/bench.yml

@@ -0,0 +1,106 @@
+name: model_signing benchmarks
+on:
+  issue_comment:
+    types: [created]
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  publish-benchmark-container:
+    if: ${{ github.event_name == 'workflow_dispatch' }} || ${{ (github.event.issue.pull_request) && (startsWith(github.event.comment.body, '/bench')) }}
+    runs-on: [ubuntu-latest]
+    permissions:
+      packages: write
+    outputs:
+      head: ${{ steps.config.outputs.head }}
+    steps:
+      - name: Validate and configure benchmark
+        id: config
+        env:
+          COMMENT_BODY: ${{ github.event.comment.body }}
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            if (context.eventName === 'workflow_dispatch') {
+              core.setOutput('head', context.sha)
+              return
+            }
+
+            const allowedAssociations = ["COLLABORATOR", "MEMBER", "OWNER"];
+            authorAssociation = '${{ github.event.comment.author_association }}'
+            if (!allowedAssociations.includes(authorAssociation)) {
+              core.setFailed("You don't have access to run the benchmarks");
+              return
+            }
+
+            const response = await github.rest.pulls.get({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.issue.number,
+            })
+
+            // avoid race condition between comment and fetching PR head sha
+            const commentTime = new Date('${{ github.event.comment.created_at }}');
+            const prTime = new Date(response.data.head.repo.pushed_at)
+            if (prTime >= commentTime) {
+              core.setFailed("The PR may have been updated since the benchmark request, " +
+                             "please review any changes and relaunch if safe.");
+              return
+            }
+
+            core.setOutput('head', response.data.head.sha)
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ steps.config.outputs.head }}
+
+      - name: Build Image
+        id: build_image
+        uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13
+        with:
+          containerfiles: |
+            ./benchmarks/Containerfile
+          image: ghcr.io/sigstore/model-transparency-benchmarks
+          tags: "latest ${{ steps.config.outputs.head }}"
+          archs: amd64
+          oci: false
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        id: registry_login
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push To GHCR
+        uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8
+        id: push
+        with:
+          image: ${{ steps.build_image.outputs.image }}
+          tags: ${{ steps.build_image.outputs.tags }}
+          registry: ghcr.io
+  submit-cloud-batch:
+    needs: publish-benchmark-container
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: 'write'
+    env:
+      TAG: ${{needs.publish-benchmark-container.outputs.head}}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{needs.publish-benchmark-container.outputs.head}}
+      - uses: google-github-actions/auth@ba79af03959ebeac9769e648f473a284504d9193 # v2.1.10
+        with:
+          workload_identity_provider: projects/306323169285/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider
+          service_account: 'model-transparency-gha@sigstore-infra-playground.iam.gserviceaccount.com'
+      - run: |
+          gcloud batch jobs submit \
+            --job-prefix=bench \
+            --project sigstore-infra-playground \
+            --location us-central1 \
+            --config - <<EOF
+            $(envsubst '$TAG' < benchmarks/cloud_batch.json)
+            EOF

benchmarks/Containerfile

@@ -0,0 +1,25 @@
+# Copyright 2025 The Sigstore Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM python:3.13-slim
+
+RUN python -m pip install --no-cache-dir hatch
+
+COPY pyproject.toml LICENSE README.md ./
+COPY src ./src
+COPY benchmarks ./benchmarks
+
+RUN hatch env create bench.py3.11
+
+ENTRYPOINT [ "bash" ]

benchmarks/cloud_batch.json

@@ -0,0 +1,62 @@
+{
+    "taskGroups": [
+        {
+            "taskSpec": {
+                "runnables": [
+                    {
+                        "container": {
+                            "imageUri": "ghcr.io/sigstore/model-transparency-benchmarks:${TAG}",
+                            "entrypoint": "/bin/sh",
+                            "commands": [
+                                "-c",
+                                "benchmarks/run.sh /mnt/disks/models /mnt/disks/gcs ${TAG}"
+                            ]
+                        }
+                    }
+                ],
+                "computeResource": {
+                    "cpuMilli": 16000,
+                    "memoryMib": 65536
+                },
+                "volumes": [
+                    {
+                        "gcs": {
+                            "remotePath": "model-transparency-benchmarks"
+                        },
+                        "mountPath": "/mnt/disks/gcs"
+                    },
+                    {
+                        "deviceName": "models",
+                        "mountPath": "/mnt/disks/models",
+                        "mountOptions": "rw,async"
+                    }
+                ],
+                "maxRetryCount": 0,
+                "maxRunDuration": "7200s"
+            },
+            "taskCount": 1,
+            "parallelism": 1
+        }
+    ],
+    "allocationPolicy": {
+        "instances": [
+            {
+                "policy": {
+                    "machineType": "c2d-standard-16",
+                    "disks": [
+                        {
+                            "newDisk": {
+                                "sizeGb": 375,
+                                "type": "local-ssd"
+                            },
+                            "deviceName": "models"
+                        }
+                    ]
+                }
+            }
+        ]
+    },
+    "logsPolicy": {
+        "destination": "CLOUD_LOGGING"
+    }
+}

benchmarks/run.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+set -euxo pipefail
+
+MODEL_DIR=$1
+OUTPUT_DIR=$2
+REVISION=$3
+FILENAME_BASE=$OUTPUT_DIR/$(date --utc +%Y%m%d%H%M%S)_$REVISION
+
+for SIZE in 32 256; do
+    for FILES in 64 512; do
+        MODEL=${SIZE}gb_${FILES}files
+        MODEL_PATH=$MODEL_DIR/$MODEL
+        mkdir -p "$MODEL_PATH"
+        SIZE_BYTES=$((SIZE * 1024 * 1024 * 1024))
+        hatch run bench.py3.11:generate dir --root "$MODEL_PATH" -n "$FILES" "$SIZE_BYTES"
+        hatch run bench.py3.11:python benchmarks/time_serialize.py "$MODEL_PATH" \
+            --output="${FILENAME_BASE}_${MODEL}.json"
+        rm -r "${MODEL_PATH}"
+    done
+done
+
+

benchmarks/time_serialize.py

@@ -0,0 +1,71 @@
+# Copyright 2025 The Sigstore Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+"""Script for timing model serialization benchmarks."""
+
+import argparse
+import json
+import sys
+import time
+
+import cpuinfo
+import psutil
+import serialize
+
+
+def build_parser() -> argparse.ArgumentParser:
+    """Builds the command line parser to benchmark serializing models."""
+    parser = argparse.ArgumentParser(description="model benchmark data")
+
+    parser.add_argument("path", help="path to model")
+
+    parser.add_argument(
+        "--repeat",
+        help="how many times to repeat each model",
+        type=int,
+        default=6,
+    )
+
+    parser.add_argument("--output", "-o", help="path for result file")
+
+    return parser
+
+
+if __name__ == "__main__":
+    args = build_parser().parse_args()
+
+    serialize_args = serialize.build_parser().parse_args(
+        [args.path, "--use_shards"]
+    )
+
+    results = dict()
+    results["model"] = args.path
+    results["ram"] = psutil.virtual_memory().total
+
+    times = list()
+    for _ in range(args.repeat):
+        st = time.time()
+        payload = serialize.run(serialize_args)
+        en = time.time()
+        times.append(en - st)
+
+    results["times"] = times
+    results["cpu"] = cpuinfo.get_cpu_info()
+
+    if args.output:
+        with open(args.output, "w", encoding="utf-8") as f:
+            json.dump(results, f, ensure_ascii=False, indent=4)
+    else:
+        json.dump(results, sys.stdout, ensure_ascii=False, indent=4)

pyproject.toml

@@ -97,6 +97,8 @@ Use `hatch run +py=3... bench:chunk ${args}` to benchmark the chunk size paramet
 """
 extra-dependencies = [
   "numpy",
+  "psutil",
+  "py-cpuinfo",
 ]
 
 [[tool.hatch.envs.bench.matrix]]
@@ -125,6 +127,7 @@ description = """Custom environment for pytype.
 Use `hatch run type:check` to check types.
 """
 extra-dependencies = [
+  "py-cpuinfo",
   "pytest",
   "pytype",
 ]