ci: add daily PyPI storage quota monitoring#705
Conversation
Adds a daily GitHub Actions job that queries the PyPI simple JSON API, sums up total project size and the largest file, and posts to Slack when either crosses 80% of the documented limits (10 GiB project / 100 MiB file). Limits are overridable via workflow_dispatch once our quota increase is granted.
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — straightforward CI monitoring addition; the inline nits are minor and non-blocking.
Extended reasoning...
Overview
This PR adds a daily GitHub Actions workflow and accompanying Python script to monitor PyPI storage quota usage and alert via Slack when thresholds are crossed. It was motivated by a real v0.1.49 publish failure due to hitting the 10 GiB project quota. The two new files total ~200 lines and are entirely self-contained CI infrastructure.
Security risks
No meaningful security risks. The script only reads from the public PyPI simple API using urllib.request. The Slack bot token is properly sourced from repository secrets. The toJSON() call in the workflow correctly escapes the summary output, preventing injection into the Slack payload.
Level of scrutiny
This is CI monitoring infrastructure, not production code. The blast radius of any issues is limited to the monitoring job itself — worst case, an alert is missed or a false alert is sent. The code follows straightforward patterns (fetch JSON, compute percentages, write GITHUB_OUTPUT). The two bugs found are both nits: continue-on-error could silently swallow unexpected crashes, and a ::warning:: annotation is written to stderr instead of stdout. Neither affects the primary alerting path (Slack notification + job failure).
Other factors
The PR is well-documented with a clear description and motivation. The code is clean and readable. The workflow supports workflow_dispatch with overridable limits, which is a nice touch for when a quota increase is granted. No existing tests or code are modified — this is purely additive.
- Script now exits 0 whenever the check completes (over or under threshold); workflow relies on the alert output rather than exit code. Removing continue-on-error means unexpected crashes now fail the job instead of passing green silently. - ::warning:: annotation goes to stdout (where the Actions runner documents parsing workflow commands). - Cron shifted to 13:23 UTC to avoid the top-of-hour/14:00 scheduler queue.
The docstring claimed "Exits non-zero" but main() always returns 0. The workflow handles failure via a separate step that reads the GitHub Actions output. Updated wording to match actual behavior.
There was a problem hiding this comment.
LGTM — all prior feedback addressed, clean CI-only change.
Extended reasoning...
Overview
This PR adds two new files: a GitHub Actions workflow (.github/workflows/pypi-quota-check.yml) that runs daily to monitor PyPI storage quota, and a Python script (scripts/check_pypi_quota.py) that queries the PyPI simple JSON API, computes project size and largest file size, and writes GitHub Actions outputs for Slack alerting. The PR was motivated by a v0.1.49 publish failure due to hitting the 10 GiB project quota.
Security risks
No security concerns. The script only makes an outbound read-only HTTP request to a public PyPI API. The Slack token is sourced from repository secrets. No user input reaches shell commands or SQL. The workflow runs on schedule and workflow_dispatch only — no untrusted PR trigger.
Level of scrutiny
This is a CI monitoring workflow, not production code. It does not affect the SDK library itself, build artifacts, or any runtime behavior. The scope is narrow (2 new files, ~190 lines total), the logic is straightforward, and no existing code is modified. Low scrutiny is appropriate.
Other factors
I previously raised four issues across two review rounds: (1) continue-on-error: true silently swallowing script crashes, (2) ::warning:: written to stderr instead of stdout, (3) docstring claiming "Exits non-zero" while main() returns 0, and (4) accidental inclusion of .claude/worktrees/ files. All four have been resolved — the inline comments are marked as resolved, and the current diff reflects the fixes. No CODEOWNERS file exists for these paths. No bugs were found by the bug hunting system. The code is clean and ready to merge.
|
Bumped the project-limit default to 50 GiB following the PyPI quota increase. The 80% warning threshold now fires at 40 GiB instead of 8 GiB. Per-file limit (100 MiB) unchanged — that's still the PyPI default and we're at 73.7% of it with the win_amd64 wheel. |
There was a problem hiding this comment.
LGTM — straightforward CI monitoring workflow, all prior feedback addressed.
Extended reasoning...
Overview
This PR adds two new files: a GitHub Actions workflow (.github/workflows/pypi-quota-check.yml) that runs daily to check PyPI storage quota, and a Python script (scripts/check_pypi_quota.py) that queries the PyPI simple JSON API and reports usage. When thresholds are exceeded, it posts to Slack and fails the job.
Security risks
No meaningful security risks. The script only reads from the public PyPI API (no credentials needed). The Slack token is properly stored in secrets. The toJSON() wrapper on the summary output handles escaping for the JSON payload. Workflow inputs are passed through environment variables with bash parameter expansion, avoiding injection concerns. The Slack action is pinned to a specific commit SHA.
Level of scrutiny
This is a CI-only monitoring workflow — it does not touch production code, library source, or any existing files. It is self-contained and low-risk. The appropriate level of scrutiny is light review, which this has received across two prior review rounds.
Other factors
All four issues raised in my previous reviews have been addressed and marked resolved: the continue-on-error silent failure issue (removed), the file=sys.stderr on the workflow command (fixed to stdout), the misleading docstring about exit codes (updated), and the accidentally committed worktree files (removed). The PR now contains only the two intended files with clean, straightforward logic.
The workflow now runs on PRs that touch the check script or the workflow file itself, so changes get exercised before merge. Slack notifications and the job-failure signal are skipped on PR events to avoid noise.
There was a problem hiding this comment.
LGTM -- all previous feedback addressed, clean CI-only monitoring addition.
Extended reasoning...
Overview
This PR adds two new files: a GitHub Actions workflow and a Python script that together implement daily PyPI storage quota monitoring with Slack alerting. The PR previously had worktree artifacts and minor issues (stderr for workflow commands, docstring inaccuracy, silent failure mode), all of which have been resolved.
Security risks
None. The script only makes an unauthenticated read request to the public PyPI simple JSON API. The Slack token is referenced as a repository secret. No credentials are handled in the script itself, and no user input flows into shell commands unsafely.
Level of scrutiny
This is a CI monitoring workflow -- it does not affect production code, build artifacts, or release processes. It runs daily on a schedule and on PRs that touch its own files. The scope is narrow and self-contained. Low scrutiny is appropriate.
Other factors
All four previous review comments have been marked as resolved. The maintainer confirmed the 50 GiB limit bump. The current diff is clean with only the two intended files. The Slack and fail steps are correctly gated with github.event_name != pull_request to avoid false alerts on PRs.
There was a problem hiding this comment.
LGTM — all prior feedback addressed, clean CI-only addition.
Extended reasoning...
Overview
This PR adds two new files: a GitHub Actions workflow (.github/workflows/pypi-quota-check.yml) and a Python script (scripts/check_pypi_quota.py) that together provide daily PyPI storage quota monitoring with Slack alerting. The changes are entirely CI/monitoring infrastructure — no production code is touched.
Security risks
No security concerns. The script only reads from the public PyPI simple API (no authentication needed). The Slack token is properly stored as a GitHub secret. No user input reaches shell commands or SQL. The workflow runs on ubuntu-latest with minimal permissions.
Level of scrutiny
This is a low-risk CI monitoring workflow. It runs daily, has no impact on production code or the build/release pipeline, and failure modes are limited to missing alerts (not broken releases). The code is well-structured, uses only stdlib (no third-party dependencies), and follows standard GitHub Actions patterns.
Other factors
I previously left four inline comments on this PR (continue-on-error silencing crashes, stderr for workflow commands, docstring/exit-code mismatch, and accidental worktree files). All four have been marked resolved, and the current diff confirms the issues were addressed: no continue-on-error, no file=sys.stderr, the docstring correctly says "Sets GitHub Actions outputs", and the .claude/worktrees/ files are no longer in the changeset. The author also confirmed the 50 GiB limit bump. No CODEOWNERS file exists for these paths.
2 participants
Adds a daily GitHub Actions job that queries the PyPI simple JSON API, sums up total project size and the largest file, and posts to Slack (same channel as issue notifications) when either crosses 80% of the configured limits (50 GiB project / 100 MiB file).
The v0.1.49 publish failed because we hit the original 10 GiB project quota — PyPI has since granted a 50 GiB increase, but this gives us advance warning before we approach the new ceiling.
Current state (verified locally against the 50 GiB limit):
Limits are overridable via
workflow_dispatchinputs if the quota changes again.