github robintra/perf-sentinel v0.4.5
on GitHub

latest releases: chart-v0.2.46, v0.8.1, chart-v0.2.45...
one month ago

What's new in v0.4.5

CI and security hardening release. Adds a supply-chain-pinned Dependabot, surfaces Clippy findings in the GitHub Security tab via SARIF, publishes a SECURITY.md disclosure policy, and polishes the above-the-fold README so the first screen reads like a product demo instead of a license disclaimer. Zero Rust source changes, zero binary behavior changes.

Added

  • Dependabot configuration (.github/dependabot.yml): weekly (Monday 06:00 Europe/Paris) GitHub Actions updates, grouped to keep PR noise in check (ci-actions, docker-actions, security-actions, other-actions). Cargo dependencies are deliberately not tracked by Dependabot because cargo audit (see security-audit.yml) already covers the security angle and dozens of minor/patch crate bumps would drown the review queue for a solo project. Crate updates stay manual via cargo update when needed.
  • Code Scanning workflow (.github/workflows/code-scanning.yml): runs Clippy with --message-format=json, converts to SARIF via clippy-sarif, and uploads to GitHub Code Scanning so Clippy warnings show up as actionable entries in the repo Security tab. Purely complementary to ci.yml (which remains the authoritative quality gate with -D warnings). The job does not fail the build; it only surfaces. Triggered on push/PR against main (limited to Rust and workflow paths so README-only pushes do not consume CI minutes) and on a weekly cron to catch drift.
  • SECURITY.md at the repo root: responsible-disclosure policy, supported-versions matrix (latest minor only pre-1.0), response-time SLAs, and an explicit out-of-scope list (self-hosted daemon running as 0.0.0.0 behind no firewall, user misconfigurations that leak their own traces, etc.). Linked from the repo Security tab.

Changed

  • All third-party GitHub Actions pinned to SHA + version comment across ci.yml, release.yml, security-audit.yml, and the new code-scanning.yml. Pattern: uses: actions/checkout@<40-char-sha> # v4.1.1. This protects against compromised tag re-pushes (a real attack vector after the tj-actions/changed-files incident). Dependabot keeps the SHAs fresh without defeating the pinning: each bump PR updates both the SHA and the trailing version comment.
  • CI path filters (.github/workflows/ci.yml, .github/workflows/code-scanning.yml): docs-only pushes no longer trigger the Rust toolchain install + cargo test + llvm-cov pipeline. Rust test runs fire only when crates/**, tests/**, Cargo.toml, Cargo.lock, .github/workflows/**, or sonar-project.properties (CI only) change. Saves ~7 minutes of CI per README tweak. The weekly cron on code-scanning.yml still catches drift even when no code lands.
  • SonarCloud integration tightened (ci.yml + sonar-project.properties): the scan step is gated on env.SONAR_TOKEN != '', so Dependabot PRs (which do not receive repo secrets on the pull_request event) no longer fail the pipeline with "SONAR_TOKEN is not set". Separately, sonar.rust.clippy.reportPaths is wired to the clippy-report.json produced by ci.yml, and the server-side Clippy auto-run is disabled (sonar.rust.clippy.enable=false) to avoid duplicate noisy warnings against the repo.
  • cargo-llvm-cov install migrated from cargo install --locked cargo-llvm-cov to taiki-e/install-action with tool: cargo-llvm-cov. Uses the upstream prebuilt binary, cuts ~2 minutes off every ci.yml run on a cold cache.
  • codeql-action bumped from v3.35.2 to v4.35.2 in the security-actions Dependabot group (#6). Only the SARIF upload step in code-scanning.yml is affected.
  • README restructured (README.md + README-FR.md): the sample analyze output now appears above the fold, ahead of the feature matrix, so the first screen reads like a tool demo instead of a positioning statement. Redundant carbon-scoring disclaimers removed from the intro (they already live in the dedicated GreenOps section). Image references switched to absolute raw.githubusercontent.com URLs so previews render correctly on crates.io and on forks that do not serve the repo root. Comparison table rebalanced (perf-sentinel vs. p6spy / SpotBugs / SonarQube rules / etc.) to remove marketing gaps and keep each row factual.

Install

Prebuilt binaries (Linux amd64 / arm64, macOS arm64, Windows amd64): 

curl -LO https://github.com/robintra/perf-sentinel/releases/download/v0.4.5/perf-sentinel-linux-amd64
chmod +x perf-sentinel-linux-amd64
sudo mv perf-sentinel-linux-amd64 /usr/local/bin/perf-sentinel

From crates.io: 

cargo install perf-sentinel

Docker: 

docker pull robintrassard/perf-sentinel:0.4.5

Also available on GHCR: ghcr.io/robintra/perf-sentinel:0.4.5.

Verify the binary against SHA256SUMS.txt: 

curl -LO https://github.com/robintra/perf-sentinel/releases/download/v0.4.5/SHA256SUMS.txt
sha256sum -c SHA256SUMS.txt --ignore-missing

Full diff: v0.4.4...v0.4.5

Check out latest releases or
releases around robintra/perf-sentinel v0.4.5

Don't miss a new perf-sentinel release

NewReleases is sending notifications on new releases.

Get notifications