[repository-quality] Repository Quality Improvement Report — Performance (2026-06-26)

[github-actions[bot]]

🎯 Repository Quality Improvement Report — Performance

Analysis Date: 2026-06-26
Focus Area: Performance
Strategy Type: Standard (random=62, tier 60–89)
Custom Area: No

Executive Summary

This run examined startup cost, hot-path regexp usage, and benchmark regression detection. Three production gaps were found: the 648 KB mainWorkflowSchema is unmarshalled up to 4 times per process (a shared getParsedSchemaDoc() already exists but schema_deprecation.go bypasses it); applySanitizePattern recompiles a dynamic regexp on every call with no cache; and permissions_toolset_data.go eagerly JSON-parses toolset data in init() for all commands including those that never validate permissions. The bench CI job produces artifacts but has no regression threshold — a 2× slowdown merges silently.

Full Analysis

Current State Assessment

Metric	Value	Status
init() functions in production code	8	⚠️
init() doing eager JSON unmarshal	1 (permissions_toolset_data.go)	❌
mainWorkflowSchema (648 KB) parse instances/process	up to 4	❌
regexp.MustCompile in function bodies (dynamic)	3	⚠️
CI bench job with regression threshold	0	❌
sync.Once lazy-init usages	40+	✅
Package-level regexp vars (correctly hoisted)	25+	✅

Key Findings

[HIGH] schema_deprecation.go independently parses mainWorkflowSchema twice (lines 43 and 168) under separate sync.Once blocks. getParsedSchemaDoc(mainWorkflowSchema) in the same package caches this parse — neither deprecation function uses it.

[HIGH] pkg/stringutil/sanitize.go:143 — regexp.MustCompile('[^' + allowedChars + ']+') runs on every applySanitizePattern call. There are at most 4 distinct allowedChars values in practice; a sync.Map cache would make compilation a one-time cost.

[MEDIUM] pkg/workflow/permissions_toolset_data.go:39 — init() unmarshals 6.6 KB embedded JSON unconditionally at startup. Commands like gh aw run, gh aw compile, and gh aw logs never touch toolsetPermissionsMap.

[MEDIUM] CI bench job (.github/workflows/cgo.yml ~line 906) saves results as artifacts but never invokes benchstat or fails on regression.

[LOW] safe_update_enforcement.go:138 and runtime_definitions.go:179 both iterate knownRuntimes in separate init() calls; runtimeActionRepos map[string]bool duplicates a subset of actionRepoToRuntime.

---

🤖 Tasks for Copilot Agent

NOTE TO PLANNER AGENT: Split the following tasks into individual work items.

Task 1: Share parsed schema doc in schema_deprecation.go

Priority: High | Effort: Small
Code Region: pkg/parser/schema_deprecation.go

Replace the two independent json.Unmarshal([]byte(mainWorkflowSchema), &schemaDoc) calls in GetMainWorkflowDeprecatedFields (line ~43) and GetMainWorkflowDeprecatedFieldsDeep (line ~168) with calls to getParsedSchemaDoc(mainWorkflowSchema) (same package, schema_compiler.go). Type-assert the any result to map[string]any. The result-caching sync.Once blocks for the deprecated-fields slices themselves should remain; only the JSON-parse step is removed.

Acceptance Criteria:

• Both functions call getParsedSchemaDoc(mainWorkflowSchema) instead of their own json.Unmarshal
• go test ./pkg/parser/... passes
• make lint passes

---

Task 2: Cache dynamic regexp in applySanitizePattern

Priority: High | Effort: Small
Code Region: pkg/stringutil/sanitize.go

Add var sanitizePatternCache sync.Map at package level. In applySanitizePattern (line 142), load from the cache keyed by allowedChars; compile and store only on miss. The regexpcompileinfunction linter exempts dynamic (non-constant) patterns, so no //nolint comment is needed.

Acceptance Criteria:

• Package-level sanitizePatternCache sync.Map declared
• applySanitizePattern uses Load/Store pattern (no double-compile race)
• go test ./pkg/stringutil/... passes
• make lint passes

---

Task 3: Convert permissions_toolset_data.go init() to lazy sync.Once

Priority: Medium | Effort: Small
Code Region: pkg/workflow/permissions_toolset_data.go, pkg/workflow/permissions_validation.go, pkg/workflow/github_toolsets.go

Remove the init() function. Add var toolsetPermissionsOnce sync.Once and a private getToolsetPermissionsMap() accessor that runs the unmarshal+build logic lazily. Replace direct toolsetPermissionsMap reads in permissions_validation.go:142 and github_toolsets.go:78 with getToolsetPermissionsMap().

Acceptance Criteria:

• init() removed; sync.Once lazy init added
• All callsites of toolsetPermissionsMap go through the accessor
• go test ./pkg/workflow/... passes
• make lint passes

---

Task 4: Add benchmark regression threshold to CI bench job

Priority: Medium | Effort: Medium
Code Region: .github/workflows/cgo.yml bench job (~line 906) — check for a .md source and update that instead, then make recompile

Install benchstat (go install golang.org/x/perf/cmd/benchstat@latest), download the previous artifact (continue-on-error: true), run benchstat old.txt new.txt, and fail the step if any benchmark's delta exceeds +20%. Upload new results as the artifact for future runs. If no previous artifact exists, skip comparison and just upload.

Acceptance Criteria:

• benchstat installed in bench job
• Previous results downloaded with continue-on-error: true
• benchstat output added to step summary
• Step fails on >20% regression in any benchmark
• New results uploaded for future comparison
• Workflow compiles and lints pass

---

Task 5: Eliminate redundant knownRuntimes init() in safe_update_enforcement.go

Priority: Low | Effort: Small
Code Region: pkg/workflow/safe_update_enforcement.go, pkg/workflow/runtime_definitions.go

safe_update_enforcement.go builds runtimeActionRepos map[string]bool in init(). runtime_definitions.go already builds actionRepoToRuntime map[string]*Runtime covering the same keys. Replace runtimeActionRepos[repo] checks with actionRepoToRuntime[repo] != nil, and remove runtimeActionRepos and its init().

Acceptance Criteria:

• runtimeActionRepos and its init() removed from safe_update_enforcement.go
• Callers use actionRepoToRuntime[repo] != nil instead
• go test ./pkg/workflow/... passes
• make lint passes

---

📊 Historical Context

Previous Focus Areas

Date	Focus Area	Type	Custom
2026-06-24	Import Pipeline Reliability	Custom	Y
2026-06-23	AIC Attribution Completeness	Custom	Y
2026-06-22	Context Propagation (reuse)	Reuse	N
2026-06-19	Compilation Idempotence	Custom	Y
2026-06-18	Race Detector Gap	Custom	Y

📈 Success Metrics

• Schema parses per process: 4 → 2
• Regexp recompilations in sanitization: N/call → 1/unique pattern
• Startup JSON parse for non-validation commands: 6.6 KB → 0 KB
• Silent bench regressions: undetected → fail on >20% delta

Next Steps

1. Assign Tasks 1–2 to Copilot coding agent (high priority, small effort)
2. Schedule Tasks 3–4 for this month
3. Re-evaluate performance in 2–3 weeks

References: §28241112820

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• proxy.golang.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "proxy.golang.org"

See Network Configuration for more information.

Generated by ⚡ Repository Quality Improvement Agent · 88.9 AIC · ⌖ 11.5 AIC · ⊞ 6.7K · ◷

• expires on Jun 27, 2026, 5:39 AM UTC-08:00

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-06-27T13:39:29.582Z.

Closed by Workflow