ci(compliance): hard MB cap on the report tarball so #671 can't recur#677
Open
avrabe wants to merge 1 commit into
Open
ci(compliance): hard MB cap on the report tarball so #671 can't recur#677avrabe wants to merge 1 commit into
avrabe wants to merge 1 commit into
Conversation
v0.4.x / v0.7-0.9 shipped ~800 MB compliance-report tarballs (~5.4 GB of stale release storage) because build output was bundled by mistake. The producer has since been fixed (v0.13.0+ is 1-2 MB), but nothing stops the regression from recurring. Adds a hard `max-archive-size-mb` cap (default 50 MB) on the compliance composite action: - Emits `compliance report size: N MB` and a step-summary table on green so a slow creep is visible before it trips the cap. - Fails with a `::error::` line that names #671 when the tarball exceeds the cap; message points at the likely root cause (build output packed into the report directory). - Cap of 0 disables the guard for callers that intentionally emit the multi-page dashboard (100s of MB). Guard logic is extracted to `verify_archive_size.sh` and exercised by `verify_archive_size_test.sh` (6 cases: under-cap, over-cap with #671 marker, disable-via-zero, missing-file usage error, ~2 MB reference shape under default, no-args usage error). The test runs in the existing yaml-lint job so a broken guard fails PRs early — no compile cost added. Scope: Part A of the #671 remediation (additive-only, no existing artifact touched). Part B — deleting the 7 stale ~800 MB assets on v0.4.x/v0.7-0.9 releases — is destructive, public-facing, and requires maintainer sign-off; it is filed separately per the triage AC. Trace: skip Refs: #671
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Scope: Part A of the #671 remediation (additive-only CI defense).
v0.4.x / v0.7-0.9 shipped ~800 MB compliance-report tarballs — a report is HTML + YAML + SVG and should be single-digit MB. The producer has since been fixed (v0.13.0+ is 1-2 MB), but nothing stopped the regression from recurring.
This PR adds a hard
max-archive-size-mbcap on the compliance composite action:0disables.::error::line naming Compliance-report packaging bug left ~800MB assets on v0.4.x / v0.7–0.9 releases #671 when the tarball exceeds the cap; the message points at the likely root cause (build output packed into the report directory) so an operator sees the shape immediately, not a bare exit code.compliance report size: N MBand a step-summary table on green so a slow creep is visible before it trips the cap.verify_archive_size.sh(not inline YAML) so it is independently testable.Test plan
bash .github/actions/compliance/verify_archive_size_test.sh— 6/6 pass:exceeds 1 MB cap, message contains#671, step-summary skipped.shellcheckclean on both scripts.yamllintclean onaction.yml+ci.yml(only pre-existing warnings on unrelated lines).build-compliancestep should printcompliance report size: 1-2 MBand emit the summary table (real-world verification the AC calls "operational verification").Acceptance-criteria mapping (Part A, from the #671 triage comment)
.github/actions/compliance/action.yml. Default of 50 MB lives on the input.verify_archive_size.shemitscompliance report is ${SIZE_MB} MB, exceeds ${MAX_MB} MB capwith the::error::prefix.compliance report size: N MBand appends a### Compliance report sizetable to$GITHUB_STEP_SUMMARY.verify_archive_size_test.shincludes a 2 MB reference-shape case and 5 additional edge cases; wired into the yaml-lint job on every PR.Trace: skip+Refs: #671What's not in this PR
Part B — deleting the 7 stale ~800 MB assets on
v0.4.x/v0.7-0.9release pages — is a public-facing, non-reversible action against tagged releases. Per the triage AC on the issue it needs an explicit "yes, delete these seven assets" comment from @avrabe before a deletion branch opens. Filing that as a separate PR keeps the blast radii separated.Closes #671 (Part A)
🤖 Generated with Claude Code — issue-triage routine run.
Generated by Claude Code