Integrate hyperlight-ci into CI workflows and Just recipes

- Add cargo alias (`cargo ci`) for convenient hyperlight-ci invocation
- Update dep_benchmarks workflow to use `cargo ci bench` and generate
  a markdown report via `cargo ci bench-report`, posting results as
  a PR comment per hypervisor/cpu matrix entry
- Add benchmarks job to ValidatePullRequest workflow with hypervisor
  and cpu matrix, gated behind docs-only and build-guests checks
- Grant pull-requests: write permission for PR comment posting
- Simplify Justfile bench recipes to delegate to `cargo ci bench`
- Update benchmarking docs to reflect the new workflow

Signed-off-by: Jorge Prendes <jorge.prendes@gmail.com>

Author: jprendes

.cargo/config.toml

@@ -0,0 +1,2 @@
+[alias] # command aliases
+ci = ["run", "--quiet", "--package=hyperlight-ci", "--"]

.github/workflows/ValidatePullRequest.yml

@@ -140,6 +140,27 @@ jobs:
       docs_only: ${{ needs.docs-pr.outputs.docs-only }}
     secrets: inherit
 
+  # Run benchmarks and post results as PR comment
+  benchmarks:
+    needs:
+      - docs-pr
+      - build-guests
+    # Required because update-guest-locks is skipped on non-dependabot PRs,
+    # and a skipped dependency transitively skips all downstream jobs.
+    # See: https://github.com/actions/runner/issues/2205
+    if: ${{ !cancelled() && !failure() }}
+    strategy:
+      fail-fast: false
+      matrix:
+        hypervisor: ['hyperv-ws2025', mshv3, kvm]
+        cpu: [amd, intel]
+    uses: ./.github/workflows/dep_benchmarks.yml
+    secrets: inherit
+    with:
+      docs_only: ${{ needs.docs-pr.outputs.docs-only }}
+      hypervisor: ${{ matrix.hypervisor }}
+      cpu: ${{ matrix.cpu }}
+
   spelling:
     name: spell check with typos
     runs-on: ubuntu-latest
@@ -167,6 +188,7 @@ jobs:
       - build-test
       - run-examples
       - fuzzing
+      - benchmarks
       - spelling
       - license-headers
     if: always()

.github/workflows/dep_benchmarks.yml

@@ -56,7 +56,6 @@ on:
         required: false
         type: number
         default: 5
-
 env:
   CARGO_TERM_COLOR: always
   RUST_BACKTRACE: full
@@ -133,7 +132,17 @@ jobs:
         continue-on-error: true
 
       - name: Run benchmarks
-        run: just bench-ci main
+        run: just bench-ci
+
+      - name: Create benchmarks report
+        run: cargo ci bench-report > target/criterion/benchmark.md
+
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
+        with:
+          name: benchmark-report_${{ runner.os }}_${{ inputs.hypervisor }}_${{ inputs.cpu }}
+          path: target/criterion/benchmark.md
+          if-no-files-found: error
+          retention-days: 1
 
       - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:

.github/workflows/post-benchmark-comment.yml

@@ -0,0 +1,154 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+
+# Posts combined benchmark results as a single PR comment.
+#
+# This uses the workflow_run trigger so it runs with default-branch privileges,
+# which guarantees write access to pull requests regardless of repository or
+# organisation permission settings.
+
+name: Post Benchmark Comment
+
+on:
+  workflow_run:
+    workflows: ["Validate Pull Request"]
+    types: [completed]
+
+permissions:
+  pull-requests: write
+  actions: read
+
+jobs:
+  post-comment:
+    if: >-
+      github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download benchmark report artifacts
+        uses: actions/github-script@v9
+        with:
+          script: |
+            const fs = require('fs');
+            const path = require('path');
+
+            // List artifacts from the triggering workflow run
+            const artifacts = await github.paginate(
+              github.rest.actions.listWorkflowRunArtifacts,
+              {
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                run_id: ${{ github.event.workflow_run.id }},
+              }
+            );
+
+            const reportArtifacts = artifacts.filter(a => a.name.startsWith('benchmark-report_'));
+            if (reportArtifacts.length === 0) {
+              console.log('No benchmark report artifacts found.');
+              return;
+            }
+
+            fs.mkdirSync('reports', { recursive: true });
+
+            for (const artifact of reportArtifacts) {
+              const zip = await github.rest.actions.downloadArtifact({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                artifact_id: artifact.id,
+                archive_format: 'zip',
+              });
+
+              const dir = path.join('reports', artifact.name);
+              fs.mkdirSync(dir, { recursive: true });
+              fs.writeFileSync(path.join(dir, 'artifact.zip'), Buffer.from(zip.data));
+            }
+
+      - name: Extract artifacts
+        run: |
+          for dir in reports/benchmark-report_*/; do
+            if [ -f "$dir/artifact.zip" ]; then
+              unzip -o "$dir/artifact.zip" -d "$dir"
+              rm "$dir/artifact.zip"
+            fi
+          done
+
+      - name: Find PR number
+        id: pr
+        uses: actions/github-script@v9
+        with:
+          script: |
+            // Get the PR associated with this workflow run
+            const run = await github.rest.actions.getWorkflowRun({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              run_id: ${{ github.event.workflow_run.id }},
+            });
+
+            // pull_requests array on the run object
+            const prs = run.data.pull_requests;
+            if (prs && prs.length > 0) {
+              core.setOutput('number', prs[0].number);
+              return;
+            }
+
+            // Fallback: search for a PR matching the head branch/sha
+            const head_sha = run.data.head_sha;
+            const pulls = await github.rest.pulls.list({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              state: 'open',
+              head: `${context.repo.owner}:${run.data.head_branch}`,
+            });
+
+            const match = pulls.data.find(p => p.head.sha === head_sha);
+            if (match) {
+              core.setOutput('number', match.number);
+            } else {
+              core.setOutput('number', '');
+              console.log('Could not determine PR number, skipping comment.');
+            }
+
+      - name: Post combined benchmark results to PR
+        if: ${{ steps.pr.outputs.number != '' }}
+        uses: actions/github-script@v9
+        with:
+          script: |
+            const fs = require('fs');
+            const path = require('path');
+
+            const reportsDir = 'reports';
+            if (!fs.existsSync(reportsDir)) {
+              console.log('No benchmark reports found, skipping comment.');
+              return;
+            }
+
+            // Collect all report files from subdirectories
+            const sections = [];
+            const dirs = fs.readdirSync(reportsDir).sort();
+            for (const dir of dirs) {
+              const mdPath = path.join(reportsDir, dir, 'benchmark.md');
+              if (!fs.existsSync(mdPath)) continue;
+
+              // Extract hypervisor/cpu from artifact name: benchmark-report_OS_hypervisor_cpu
+              const parts = dir.replace('benchmark-report_', '').split('_');
+              const os = parts[0];
+              const hypervisor = parts.slice(1, -1).join('_');
+              const cpu = parts[parts.length - 1];
+              const label = `${hypervisor} / ${cpu} (${os})`;
+
+              const content = fs.readFileSync(mdPath, 'utf8').trim();
+              sections.push(`<details>\n<summary><b>${label}</b></summary>\n\n${content}\n\n</details>`);
+            }
+
+            if (sections.length === 0) {
+              console.log('No benchmark report content found, skipping comment.');
+              return;
+            }
+
+            const body = `## Benchmark Results\n\n${sections.join('\n\n')}`;
+
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: Number('${{ steps.pr.outputs.number }}'),
+              body: body,
+            });

Justfile

@@ -401,12 +401,10 @@ bench-download os hypervisor cpu tag="":
 
 # Warning: compares to and then OVERWRITES the given baseline
 bench-ci baseline features="":
-    @# Benchmarks are always run with release builds for meaningful results
-    cargo bench --profile=release {{ if features =="" {''} else { "--features " + features } }} -- --verbose --save-baseline {{ baseline }}
+    cargo ci bench {{ if features == "" {''} else { "--features " + features } }} --verbose --save-baseline {{ baseline }}
 
 bench features="":
-    @# Benchmarks are always run with release builds for meaningful results
-    cargo bench --profile=release {{ if features =="" {''} else { "--features " + features } }} -- --verbose
+    cargo ci bench {{ if features == "" {''} else { "--features " + features } }} --verbose
 
 ###############
 ### FUZZING ###