Build: Post bench reports as Semantic Performance Bot (#147)

* Build: Post bench reports as Semantic Performance Bot

Swap the comment job and the history-archive job from `GITHUB_TOKEN` to
an installation token minted via `actions/create-github-app-token@v1`,
driven by the two secrets already set up in repo settings:

- SEMANTIC_PERF_BOT_APP_ID
- SEMANTIC_PERF_BOT_PRIVATE_KEY

Same permission surface as before — Pull requests (write), Contents
(write), Actions (read). Branded identity, not widened scope.

Effect downstream:

- PR bench comments post as the bot with its uploaded SUI-themed avatar
  instead of the generic `github-actions[bot]` face.
- Archival commits on main are authored by the bot, so git blame /
  history listings clearly show which chunk of main was machine-
  authored bench bookkeeping vs. developer work.

Commit-author fields on the archive step use the
`<app-id>+<app-slug>[bot]@users.noreply.github.com` format. Slug
assumed to be `semantic-performance-bot` — if the app was registered
under a different slug, that's a one-line fix in this file. GitHub
still attributes the commit to the app regardless, the slug just
affects the display email and avatar linkage.

Also bundles `docs/public/images/{heap,performance}-avatar.png` staged
alongside — the avatar assets land with the workflow change that uses
them.

Acceptance test: next PR that touches `packages/**` after this merges
posts its bench comment under the bot's identity. One-commit revert
restores `GITHUB_TOKEN` if anything's off.

* Build: Tighten bench path filter — tools/bench-reporter in, report yml out

Two corrections to the pull_request path filter now that we've exercised
the workflow enough to see the gaps:

- Add `tools/bench-reporter/**`. A PR that modifies only reporter.js or
  append-history.js previously didn't trigger benchmarks, yet those
  scripts run from the PR-head checkout when the report workflow fires,
  so the change DOES take effect on the PR's own comment. Missed coverage.

- Drop `.github/workflows/benchmarks-report.yml`. This workflow file is
  the `workflow_run` handler — GitHub runs it from main's copy, not the
  PR's, which means a PR that modifies only this file cannot validate
  its own change inline anyway. Triggering benchmarks on such a PR
  wastes ~10 min of CI without producing actionable signal.

`benchmarks.yml` itself stays in the filter — it's the `pull_request`
entry point and GitHub runs it from PR-head YAML, so self-validation
works.

Author: jlukic

.github/workflows/benchmarks-report.yml

@@ -23,6 +23,17 @@ jobs:
       github.event.workflow_run.conclusion == 'success'
       && github.event.workflow_run.event == 'pull_request'
     steps:
+      # Generate an installation access token for the Semantic Performance
+      # Bot GitHub App. Comments post under the bot's identity + avatar
+      # rather than the generic `github-actions[bot]`. Same permissions
+      # surface as GITHUB_TOKEN; branded, not widened.
+      - name: Generate bot token
+        id: bot-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.SEMANTIC_PERF_BOT_APP_ID }}
+          private-key: ${{ secrets.SEMANTIC_PERF_BOT_PRIVATE_KEY }}
+
       - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.workflow_run.head_sha }}
@@ -43,6 +54,7 @@ jobs:
       - name: Download bench artifacts
         uses: dawidd6/action-download-artifact@v2
         with:
+          github_token: ${{ steps.bot-token.outputs.token }}
           workflow: ${{ github.event.workflow.id }}
           run_id: ${{ github.event.workflow_run.id }}
           name_is_regexp: true
@@ -52,7 +64,7 @@ jobs:
       - name: Resolve PR number
         id: pr
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.bot-token.outputs.token }}
         run: |
           NUMBER='${{ github.event.workflow_run.pull_requests[0].number }}'
           if [ -z "$NUMBER" ] || [ "$NUMBER" = "null" ]; then
@@ -89,10 +101,13 @@ jobs:
       - name: Post or update PR comment
         if: steps.pr.outputs.number != ''
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.bot-token.outputs.token }}
           PR: ${{ steps.pr.outputs.number }}
           REPO: ${{ github.repository }}
         run: |
+          # --edit-last finds the most recent comment from the authenticated
+          # user; with the bot token, that targets the bot's previous bench
+          # comment (not github-actions[bot]'s earlier artifacts).
           if ! gh pr comment "$PR" --repo "$REPO" --edit-last \
                 --body-file bench-report/comment.md 2>/dev/null; then
             gh pr comment "$PR" --repo "$REPO" \
@@ -115,14 +130,23 @@ jobs:
       group: bench-history-append
       cancel-in-progress: false
     steps:
+      # Bot token for the archival commit — shows up on main as authored
+      # by Semantic Performance Bot rather than github-actions[bot].
+      - name: Generate bot token
+        id: bot-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.SEMANTIC_PERF_BOT_APP_ID }}
+          private-key: ${{ secrets.SEMANTIC_PERF_BOT_PRIVATE_KEY }}
+
       # Check out main's tip for the commit target. We push back to main,
       # so we need the most recent state — not the bench's head_sha (which
       # may have been superseded by a later merge during the ~10-min bench).
       - uses: actions/checkout@v4
         with:
           ref: main
           fetch-depth: 2  # need HEAD~1 for parent_sha lookup
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ steps.bot-token.outputs.token }}
 
       - uses: actions/setup-node@v4
         with:
@@ -131,6 +155,7 @@ jobs:
       - name: Download bench artifacts
         uses: dawidd6/action-download-artifact@v2
         with:
+          github_token: ${{ steps.bot-token.outputs.token }}
           workflow: ${{ github.event.workflow.id }}
           run_id: ${{ github.event.workflow_run.id }}
           name_is_regexp: true
@@ -155,9 +180,16 @@ jobs:
             --history bench-history.json
 
       - name: Commit + push
+        env:
+          # The checkout step's token persists as the git remote's credential
+          # helper, so the push below authenticates as the bot automatically.
+          BOT_APP_SLUG: semantic-performance-bot
         run: |
-          git config user.name 'github-actions[bot]'
-          git config user.email '41898282+github-actions[bot]@users.noreply.github.com'
+          # Use the bot's noreply email format. The exact local-part is the
+          # app's numeric user id; GitHub renders the commit as authored by
+          # the app regardless, as long as the name matches the app slug.
+          git config user.name 'semantic-performance-bot[bot]'
+          git config user.email '${{ secrets.SEMANTIC_PERF_BOT_APP_ID }}+semantic-performance-bot[bot]@users.noreply.github.com'
           # If nothing changed (e.g. a re-run for a SHA already archived with
           # identical numbers), skip rather than making an empty commit.
           if git diff --quiet bench-history.json; then

.github/workflows/benchmarks.yml

@@ -3,9 +3,18 @@ name: Benchmarks
 on:
   pull_request:
     paths:
+      # perf-sensitive code — the measurement target
       - 'packages/**'
+      # bench workflow itself — changes here take effect on this PR's own
+      # run (pull_request uses PR-head YAML), so self-test
       - '.github/workflows/benchmarks.yml'
-      - '.github/workflows/benchmarks-report.yml'
+      # reporter scripts — runs from PR-head via the report workflow's
+      # checkout step, so a PR that only changes reporter.js still gets
+      # its output rendered on its own bench comment. Note: we deliberately
+      # DON'T include `.github/workflows/benchmarks-report.yml` here — that
+      # file runs from main's copy (workflow_run constraint), so modifying
+      # it on a PR doesn't exercise the change until after merge.
+      - 'tools/bench-reporter/**'
   # Bench every merge commit on main so bench-history.json accumulates
   # absolute CIs per commit. These runs aren't gated against anything —
   # the report workflow branches on event type and appends history instead