ci: fail PRs over 1500 lines of python changes

[greysonlalonde]

Adds a python-diff-size job to the existing PR Size Check workflow that fails when a PR's .py churn (added + deleted) exceeds 1500 lines.

• Counts only .py files, origin/<base>...HEAD, skips binaries.
• Runs unconditionally on every PR so it always reports — safe to mark required.
• Self-contained inline shell; no extra script or dependency.

The existing pr-size-labeler only labels XS–XL on total diff and never fails; this is the Python-specific hard gate.

Follow-up after merge: add the python-diff-size check to ruleset main (id 2686846), alongside lint / tests (3.x), to make it block merges.

---

Note

Low Risk
CI-only workflow change with no runtime or application code impact; merge blocking depends on making the new check required in branch rules.

Overview
Adds a python-diff-size job to the PR Size Check workflow that fails the check when added + deleted lines across *.py files exceed 1500, complementing the existing labeler job which only assigns size labels and never blocks merges.

The job checks out full history, uses a three-dot base...head diff (aligned with GitHub’s “Files changed” view), sums line churn via git diff --numstat, and on failure emits a workflow error plus a sorted per-file breakdown. It runs on every PR open/sync/reopen with read-only contents permission and no extra dependencies.

^{Reviewed by Cursor Bugbot for commit 4068fa3. Bugbot is set up for automated code reviews on this repo. Configure here.}

Summary by CodeRabbit

• Chores
  • Enhanced pull request validation by adding an automated check for Python diff size, enforcing a maximum churn threshold and providing a per-file breakdown when the limit is exceeded.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 00a8019a-2376-4e5e-9529-5f9fb33e5d8b

📥 Commits

Reviewing files that changed from the base of the PR and between c2d28b9 and 4068fa3.

📒 Files selected for processing (1)

• .github/workflows/pr-size.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/pr-size.yml

---

📝 Walkthrough

Walkthrough

The PR Size Check workflow gains a new python-diff-size job. It computes the total added and deleted lines across all *.py files using git diff --numstat against the base branch, then fails with exit code 1 if the sum exceeds 1500, printing per-file churn sorted by size.

Changes

Python Churn Limit Enforcement

Layer / File(s)	Summary
python-diff-size job .github/workflows/pr-size.yml	New job sums added+deleted line counts from git diff --numstat for *.py files against the PR base SHA, logs the total, and fails the workflow when it exceeds MAX=1500, emitting sorted per-file churn on failure.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and concisely describes the main change: adding a CI check that fails PRs exceeding 1500 lines of Python file changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/python-pr-size-gate

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/pr-size.yml (1)

3-11: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Harden token scope with explicit workflow/job permissions.

python-diff-size only needs repository read access, but the workflow currently relies on default token permissions. Add explicit least-privilege permissions at workflow level and keep pr-size’s write override scoped only to that job.

Suggested patch

 name: PR Size Check
 
 on:
   pull_request:
     types: [opened, synchronize, reopened]
 
+permissions:
+  contents: read
+
 jobs:
   pr-size:
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write
@@
   python-diff-size:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read

Also applies to: 34-35

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pr-size.yml around lines 3 - 11, The workflow currently
relies on default token permissions without explicit declarations, which
violates the principle of least privilege. Add a `permissions` block at the
workflow root level (before the `jobs` section) with read-only access to the
repository (contents: read), while keeping the existing `pull-requests: write`
permission override in the `pr-size` job. This ensures the workflow has minimal
permissions at the top level, with only the specific job that needs write access
to pull requests having that elevated permission.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/pr-size.yml:
- Around line 44-47: The base variable on line 44 is being set by interpolating
github.base_ref (a branch name) directly into a shell command, which creates a
shell injection vulnerability. Replace the github.base_ref interpolation with
the immutable base commit SHA from the GitHub event payload using
github.event.pull_request.base.sha instead, as this provides a fixed-format,
safe value that cannot contain special shell characters.

---

Outside diff comments:
In @.github/workflows/pr-size.yml:
- Around line 3-11: The workflow currently relies on default token permissions
without explicit declarations, which violates the principle of least privilege.
Add a `permissions` block at the workflow root level (before the `jobs` section)
with read-only access to the repository (contents: read), while keeping the
existing `pull-requests: write` permission override in the `pr-size` job. This
ensures the workflow has minimal permissions at the top level, with only the
specific job that needs write access to pull requests having that elevated
permission.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 19d14373-d7f5-409d-9578-9055f220328c

📥 Commits

Reviewing files that changed from the base of the PR and between 0a577b7 and 3fcbc38.

📒 Files selected for processing (1)

• .github/workflows/pr-size.yml

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/pr-size.yml (1)

39-41: ⚡ Quick win

Disable persisted checkout credentials for least-privilege hardening.

At Line 39, actions/checkout should set persist-credentials: false so the token is not left in local git config for later steps.

Suggested patch

       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 0
+          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pr-size.yml around lines 39 - 41, The `actions/checkout`
action in the pr-size.yml workflow is missing security hardening for credential
handling. Add `persist-credentials: false` to the `with` section of the checkout
action (alongside the existing `fetch-depth: 0`) to ensure the authentication
token is not persisted in the local git configuration after checkout completes,
following the principle of least-privilege access.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/pr-size.yml:
- Around line 39-41: The `actions/checkout` action in the pr-size.yml workflow
is missing security hardening for credential handling. Add `persist-credentials:
false` to the `with` section of the checkout action (alongside the existing
`fetch-depth: 0`) to ensure the authentication token is not persisted in the
local git configuration after checkout completes, following the principle of
least-privilege access.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 0099930d-74e1-4895-b4c3-2333e7c627b2

📥 Commits

Reviewing files that changed from the base of the PR and between 3fcbc38 and c2d28b9.

📒 Files selected for processing (1)

• .github/workflows/pr-size.yml

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 474496f. Configure here.}