ci(deps): guard install footprint — dependency denylist + +5% size ratchet#435
Open
sammy-vastai wants to merge 2 commits into
Open
ci(deps): guard install footprint — dependency denylist + +5% size ratchet#435sammy-vastai wants to merge 2 commits into
sammy-vastai wants to merge 2 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
Adds CI and test-suite guards to prevent the CLI’s Python dependency closure (and resulting install size) from regressing back toward heavyweight ML/scientific stacks.
Changes:
- Introduces a transitive-dependency denylist test that parses
poetry.lockand fails if forbidden heavy packages re-enter. - Adds an installer CI job that installs this PR’s wheel on Linux and enforces a “+5% max”
site-packagesfootprint ratchet against a committed baseline. - Expands the installer workflow trigger paths to include
poetry.lockchanges.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
tests/test_dependency_budget.py |
New lockfile-parsing test to block forbidden heavy deps from re-entering the resolved closure. |
tests/installer/footprint_baseline.env |
Adds the committed size baseline used by the footprint ratchet job. |
.github/workflows/installer-ci.yml |
Adds a footprint-budget job and ensures lockfile-only changes trigger the installer CI workflow. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+42
to
+48
| def test_no_heavy_deps_in_closure(): | ||
| intruders = sorted(_closure_names() & FORBIDDEN) | ||
| assert not intruders, ( | ||
| f"heavy dependency re-entered the CLI closure: {intruders}. " | ||
| "A CLI should not pull an ML/scientific stack — slim the change, or if " | ||
| "this is genuinely required, remove it from FORBIDDEN with justification." | ||
| ) |
Comment on lines
+38
to
+39
| data = tomllib.loads(LOCK.read_text()) | ||
| return {pkg["name"].lower() for pkg in data["package"]} |
Comment on lines
+93
to
+101
| run: | | ||
| . tests/installer/footprint_baseline.env | ||
| export PATH="$HOME/.local/bin:$PATH" | ||
| uv venv /tmp/fp --python 3.12 --quiet | ||
| uv pip install --python /tmp/fp/bin/python --quiet dist/vastai-*.whl | ||
| SITE="$(find /tmp/fp/lib -type d -name site-packages)" | ||
| BYTES="$(du -sb "$SITE" | cut -f1)" | ||
| CEIL=$(( FOOTPRINT_BASELINE_BYTES * 105 / 100 )) | ||
| PCT=$(( (BYTES - FOOTPRINT_BASELINE_BYTES) * 100 / FOOTPRINT_BASELINE_BYTES )) |
Comment on lines
+90
to
+91
| - name: install uv | ||
| run: curl -LsSf https://astral.sh/uv/install.sh | sh |
573b61c to
1b5e220
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two CI guards so the install footprint can't quietly balloon again the way
transformersadded ~138 MiB via #424.Layer 1 — dependency-closure denylist (
tests/test_dependency_budget.py)Parses
poetry.lock(the full transitive closure — where the weight hides) and fails if any heavy ML/scientific package re-enters:transformers,tokenizers,numpy,torch,nltk, … No install, deterministic, platform-agnostic, runs in the existing pytest suite. This is the one that directly catches a repeat of #424.Layer 2 — installed-footprint +5% ratchet (
installer-ci.yml→footprint-budgetjob)Hermetic
uvinstall of this PR's wheel on one canonical platform (linux x86_64), measuressite-packages, and fails if it grew >5% over the committed baseline intests/installer/footprint_baseline.env. On a real increase the dev either slims the PR or bumps the baseline deliberately — that one-line diff is the record that the growth was intentional. The job printsfootprint / baseline / delta% / ceilingso re-baselining is trivial.Backstop for the case Layer 1 misses: an existing dep ballooning without a new package name appearing.
Baseline
FOOTPRINT_BASELINE_BYTES=133476211(~127 MiB), measured from a clean install of the slim closure (was ~276 MiB with the transformers cluster).Validation
pytest test_dependency_budget.py→ passes (and would fail if any FORBIDDEN name were present).footprint: 127 MiB | baseline: 127 MiB | delta: 0% | ceiling(+5%): 133 MiB | WOULD PASS.poetry.lockto theinstaller-citrigger paths so lock-only dep changes are gated too.Why measure
site-packages(not all of~/.vastai): the managed CPython + uv (~75% of the install) are fixed runtime that change on a Python-pin bump, not on a PR's deps — including them would add noise the 5% gate would trip on falsely.