Merge pull request #897 from entireio/soph/binary-check-ci

check for binaries in PR diff

Author: Soph

.github/workflows/pr-binary-size.yml

@@ -0,0 +1,22 @@
+name: PR Binary Size
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  binary-size:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          fetch-depth: 0
+
+      - name: Check for oversized binary files
+        env:
+          BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          MAX_BINARY_SIZE_BYTES: "1048576"
+        run: bash scripts/check-pr-binaries.sh "${BASE_SHA}" "${HEAD_SHA}"

cmd/entire/cli/pr_binary_size_test.go

@@ -0,0 +1,210 @@
+package cli
+
+import (
+	"bytes"
+	"context"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"testing"
+
+	"github.com/entireio/cli/cmd/entire/cli/testutil"
+	"github.com/stretchr/testify/require"
+)
+
+func TestCheckPRBinaries_AddThenDeleteStillFails(t *testing.T) {
+	t.Parallel()
+
+	repoDir := t.TempDir()
+	testutil.InitRepo(t, repoDir)
+	testutil.WriteFile(t, repoDir, "README.md", "init\n")
+	testutil.GitAdd(t, repoDir, "README.md")
+	testutil.GitCommit(t, repoDir, "init")
+	baseSHA := testutil.GetHeadHash(t, repoDir)
+
+	largeBinary := bytes.Repeat([]byte{0}, 1048577)
+	err := os.WriteFile(filepath.Join(repoDir, "oversized.bin"), largeBinary, 0o644)
+	require.NoError(t, err)
+	testutil.GitAdd(t, repoDir, "oversized.bin")
+	testutil.GitCommit(t, repoDir, "add oversized binary")
+
+	headWithBinary := testutil.GetHeadHash(t, repoDir)
+	output, err := runBinaryCheckScript(t, repoDir, baseSHA, headWithBinary)
+	require.Error(t, err)
+	require.Contains(t, output, "oversized.bin")
+
+	runGitCommand(t, repoDir, "rm", "oversized.bin")
+	testutil.GitCommit(t, repoDir, "delete oversized binary")
+
+	output, err = runBinaryCheckScript(t, repoDir, baseSHA, testutil.GetHeadHash(t, repoDir))
+	require.Error(t, err)
+	require.Contains(t, output, "oversized.bin")
+}
+
+func TestCheckPRBinaries_MergeCommitStillFails(t *testing.T) {
+	t.Parallel()
+
+	repoDir := t.TempDir()
+	testutil.InitRepo(t, repoDir)
+	testutil.WriteFile(t, repoDir, "README.md", "init\n")
+	testutil.GitAdd(t, repoDir, "README.md")
+	testutil.GitCommit(t, repoDir, "init")
+	baseSHA := testutil.GetHeadHash(t, repoDir)
+
+	runGitCommand(t, repoDir, "checkout", "-b", "feature")
+	testutil.WriteFile(t, repoDir, "feature.txt", "feature\n")
+	testutil.GitAdd(t, repoDir, "feature.txt")
+	testutil.GitCommit(t, repoDir, "feature change")
+
+	runGitCommand(t, repoDir, "checkout", "-b", "side", baseSHA)
+	largeBinary := bytes.Repeat([]byte{0}, 1048577)
+	err := os.WriteFile(filepath.Join(repoDir, "oversized.bin"), largeBinary, 0o644)
+	require.NoError(t, err)
+	testutil.GitAdd(t, repoDir, "oversized.bin")
+	testutil.GitCommit(t, repoDir, "add oversized binary")
+
+	runGitCommand(t, repoDir, "checkout", "feature")
+	runGitCommand(t, repoDir, "merge", "--no-ff", "side", "-m", "merge side")
+
+	output, err := runBinaryCheckScript(t, repoDir, baseSHA, testutil.GetHeadHash(t, repoDir))
+	require.Error(t, err)
+	require.Contains(t, output, "oversized.bin")
+}
+
+func TestCheckPRBinaries_SmallBinaryPasses(t *testing.T) {
+	t.Parallel()
+
+	repoDir := t.TempDir()
+	testutil.InitRepo(t, repoDir)
+	testutil.WriteFile(t, repoDir, "README.md", "init\n")
+	testutil.GitAdd(t, repoDir, "README.md")
+	testutil.GitCommit(t, repoDir, "init")
+	baseSHA := testutil.GetHeadHash(t, repoDir)
+
+	writeBinaryFile(t, repoDir, "small.bin", bytes.Repeat([]byte{0}, 1024))
+	testutil.GitAdd(t, repoDir, "small.bin")
+	testutil.GitCommit(t, repoDir, "add small binary")
+
+	output, err := runBinaryCheckScript(t, repoDir, baseSHA, testutil.GetHeadHash(t, repoDir))
+	require.NoError(t, err)
+	require.Contains(t, output, "No oversized binary files found.")
+}
+
+func TestCheckPRBinaries_ModifiedOversizedBinaryFails(t *testing.T) {
+	t.Parallel()
+
+	repoDir := t.TempDir()
+	testutil.InitRepo(t, repoDir)
+	testutil.WriteFile(t, repoDir, "README.md", "init\n")
+	testutil.GitAdd(t, repoDir, "README.md")
+	writeBinaryFile(t, repoDir, "asset.bin", bytes.Repeat([]byte{0}, 1024))
+	testutil.GitAdd(t, repoDir, "asset.bin")
+	testutil.GitCommit(t, repoDir, "init")
+	baseSHA := testutil.GetHeadHash(t, repoDir)
+
+	writeBinaryFile(t, repoDir, "asset.bin", bytes.Repeat([]byte{1}, 1048577))
+	testutil.GitAdd(t, repoDir, "asset.bin")
+	testutil.GitCommit(t, repoDir, "grow binary")
+
+	output, err := runBinaryCheckScript(t, repoDir, baseSHA, testutil.GetHeadHash(t, repoDir))
+	require.Error(t, err)
+	require.Contains(t, output, "asset.bin")
+}
+
+func TestCheckPRBinaries_LargeTextFilePasses(t *testing.T) {
+	t.Parallel()
+
+	repoDir := t.TempDir()
+	testutil.InitRepo(t, repoDir)
+	testutil.WriteFile(t, repoDir, "README.md", "init\n")
+	testutil.GitAdd(t, repoDir, "README.md")
+	testutil.GitCommit(t, repoDir, "init")
+	baseSHA := testutil.GetHeadHash(t, repoDir)
+
+	largeText := bytes.Repeat([]byte("a"), 1048577)
+	err := os.WriteFile(filepath.Join(repoDir, "large.txt"), largeText, 0o644)
+	require.NoError(t, err)
+	testutil.GitAdd(t, repoDir, "large.txt")
+	testutil.GitCommit(t, repoDir, "add large text file")
+
+	output, err := runBinaryCheckScript(t, repoDir, baseSHA, testutil.GetHeadHash(t, repoDir))
+	require.NoError(t, err)
+	require.Contains(t, output, "No oversized binary files found.")
+}
+
+func TestCheckPRBinaries_CustomThreshold(t *testing.T) {
+	t.Parallel()
+
+	repoDir := t.TempDir()
+	testutil.InitRepo(t, repoDir)
+	testutil.WriteFile(t, repoDir, "README.md", "init\n")
+	testutil.GitAdd(t, repoDir, "README.md")
+	testutil.GitCommit(t, repoDir, "init")
+	baseSHA := testutil.GetHeadHash(t, repoDir)
+
+	writeBinaryFile(t, repoDir, "large.bin", bytes.Repeat([]byte{0}, 1572864))
+	testutil.GitAdd(t, repoDir, "large.bin")
+	testutil.GitCommit(t, repoDir, "add medium binary")
+
+	output, err := runBinaryCheckScriptWithEnv(t, repoDir, baseSHA, testutil.GetHeadHash(t, repoDir), map[string]string{
+		"MAX_BINARY_SIZE_BYTES": "2097152",
+	})
+	require.NoError(t, err)
+	require.Contains(t, output, "No oversized binary files found.")
+}
+
+func TestCheckPRBinaries_InvalidThresholdFails(t *testing.T) {
+	t.Parallel()
+
+	repoDir := t.TempDir()
+	testutil.InitRepo(t, repoDir)
+	testutil.WriteFile(t, repoDir, "README.md", "init\n")
+	testutil.GitAdd(t, repoDir, "README.md")
+	testutil.GitCommit(t, repoDir, "init")
+
+	output, err := runBinaryCheckScriptWithEnv(t, repoDir, testutil.GetHeadHash(t, repoDir), "HEAD", map[string]string{
+		"MAX_BINARY_SIZE_BYTES": "not-a-number",
+	})
+	require.Error(t, err)
+	require.Contains(t, output, "MAX_BINARY_SIZE_BYTES must be an integer")
+}
+
+func runBinaryCheckScript(t *testing.T, repoDir, baseSHA, headSHA string) (string, error) {
+	t.Helper()
+
+	return runBinaryCheckScriptWithEnv(t, repoDir, baseSHA, headSHA, nil)
+}
+
+func runBinaryCheckScriptWithEnv(t *testing.T, repoDir, baseSHA, headSHA string, extraEnv map[string]string) (string, error) {
+	t.Helper()
+
+	_, filename, _, ok := runtime.Caller(0)
+	require.True(t, ok)
+
+	scriptPath := filepath.Join(filepath.Dir(filename), "..", "..", "..", "scripts", "check-pr-binaries.sh")
+	cmd := exec.CommandContext(context.Background(), "bash", scriptPath, baseSHA, headSHA)
+	cmd.Dir = repoDir
+	cmd.Env = os.Environ()
+	for key, value := range extraEnv {
+		cmd.Env = append(cmd.Env, key+"="+value)
+	}
+	output, err := cmd.CombinedOutput()
+	return string(output), err
+}
+
+func writeBinaryFile(t *testing.T, repoDir, path string, content []byte) {
+	t.Helper()
+
+	err := os.WriteFile(filepath.Join(repoDir, path), content, 0o644)
+	require.NoError(t, err)
+}
+
+func runGitCommand(t *testing.T, repoDir string, args ...string) {
+	t.Helper()
+
+	cmd := exec.CommandContext(context.Background(), "git", args...)
+	cmd.Dir = repoDir
+	output, err := cmd.CombinedOutput()
+	require.NoErrorf(t, err, "git %v failed: %s", args, output)
+}

scripts/check-pr-binaries.sh

@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+log() {
+  echo "$@"
+}
+
+fail() {
+  echo "::error::$1" >&2
+  exit 1
+}
+
+base_sha="${1:-${GITHUB_BASE_SHA:-}}"
+head_ref="${2:-HEAD}"
+max_binary_size_bytes="${MAX_BINARY_SIZE_BYTES:-1048576}"
+
+if [[ -z "${base_sha}" ]]; then
+  fail "Missing base SHA. Pass it as the first argument or set GITHUB_BASE_SHA."
+fi
+
+if ! [[ "${max_binary_size_bytes}" =~ ^[0-9]+$ ]]; then
+  fail "MAX_BINARY_SIZE_BYTES must be an integer, got: ${max_binary_size_bytes}"
+fi
+
+if ! git rev-parse --verify "${base_sha}^{commit}" >/dev/null 2>&1; then
+  fail "Base commit not found locally: ${base_sha}"
+fi
+
+if ! git rev-parse --verify "${head_ref}^{commit}" >/dev/null 2>&1; then
+  fail "Head commit not found locally: ${head_ref}"
+fi
+
+range="${base_sha}...${head_ref}"
+
+log "Checking binary files in ${range}"
+log "Maximum allowed binary size: ${max_binary_size_bytes} bytes"
+
+violations=()
+
+while IFS= read -r commit; do
+  [[ -z "${commit}" ]] && continue
+
+  while IFS=$'\t' read -r added deleted path; do
+    [[ -z "${path}" ]] && continue
+
+    # In git numstat output, binary diffs use "-" for added/deleted counts.
+    if [[ "${added}" != "-" || "${deleted}" != "-" ]]; then
+      continue
+    fi
+
+    blob_size="$(git cat-file -s "${commit}:${path}")"
+    if (( blob_size <= max_binary_size_bytes )); then
+      continue
+    fi
+
+    violations+=("${path}:${blob_size}")
+  done < <(git diff-tree -m --root --no-commit-id --diff-filter=AM -r --numstat "${commit}")
+done < <(git rev-list --reverse "${base_sha}..${head_ref}")
+
+if (( ${#violations[@]} == 0 )); then
+  log "No oversized binary files found."
+  exit 0
+fi
+
+log "Oversized binary files detected:"
+for violation in "${violations[@]}"; do
+  path="${violation%%:*}"
+  size="${violation##*:}"
+  echo "  - ${path} (${size} bytes)"
+done
+
+fail "Pull request includes binary files larger than ${max_binary_size_bytes} bytes."