Add plugin size audit workflow PRESS10-98

[crodriguezbrito]

Proposed changes

This PR includes a new workflow designed to control file size growth by implementing two checks:

• Production File Size Comparison: Compares the production file size between the base branch and the PR branch. The workflow will fail if the size increase exceeds 10%.

• Plugin Zip Size Validation: Calculates the size of the generated plugin ZIP file. The workflow will fail if the size is greater than 10 MB.

Jira: PRESS10-98

Type of Change

Production

• Bugfix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Dependency update
• Refactoring / housekeeping (changes to files not directly related to functionality)

Development

• Tests
• Dependency update
• Environment update / refactoring
• Documentation Update

Visual

Checklist

• I have read the CONTRIBUTING doc
• I have viewed my change in a web-browser
• Linting and tests pass locally with my changes
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

Further comments

---

Note

Adds a reusable GitHub Actions workflow to build the plugin, compute folder/zip sizes, compare with base on PRs, comment a report, and fail when thresholds are exceeded.

• CI / Workflows:
  • New reusable workflow /.github/workflows/reusable-plugin-size-audit.yml:
    • Builds project (PHP/Node), prepares dist via .distinclude/.distignore.
    • Calculates total plugin folder size and ZIP size; enforces MAX_SIZE_INCREASE_PERCENT and MAX_ZIP_SIZE_MB.
    • On PRs, checks out base branch, rebuilds, compares sizes, and sets failure if limits are exceeded.
    • Generates a markdown report and posts/updates a PR comment; final step fails the job when thresholds are breached.

^{Written by Cursor Bugbot for commit 42a7882. This will update automatically on new commits. Configure here.}

[desrosj]

While environment variables can change, inputs cannot. What about moving the MAX_SIZE_INCREASE_PERCENT and MAX_ZIP_SIZE_MB to workflow inputs instead of hard coding them as environment variables at the workflow level? The current values can be used as the defaults and the inputs can be made optional.

This would allow a given repo to adjust these thresholds if they desire while also closing these potentially insecure paths. Though it's not clear to me why this pattern is triggering an alert on this step but not others where env.* is also being used, this seems like a reasonable adjustment to prevent this.

[desrosj]

Thanks for this, @crodriguezbrito!

I left some initial feedback. For the sake of transparency, I haven't reviewed the commands that are actually performing comparisons. Just a high-level review of the GHA related code so far.

Also, is this in any way related to newfold-labs/wp-plugin-bluehost#342? That one seems to focus on the sizes of individual files rather than the size of the plugin as a whole. Not necessarily a blocker for this, but it would be nice to eventually have a reusable workflow for each. Then each plugin can have a single workflow with two jobs: one for file sizes, one for plugin package size.

[Copilot]

Pull Request Overview

This PR introduces a reusable GitHub Actions workflow for auditing WordPress plugin size, comparing the current branch against the base branch and ensuring size increases stay within acceptable limits.

Key Changes:

• Adds automated plugin size auditing with configurable thresholds (10% size increase, 10 MB max zip size)
• Implements comparison logic between current and base branches for pull requests
• Posts size audit reports as PR comments with automatic updates

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[crodriguezbrito]

Thanks for this, @crodriguezbrito!

I left some initial feedback. For the sake of transparency, I haven't reviewed the commands that are actually performing comparisons. Just a high-level review of the GHA related code so far.

Also, is this in any way related to newfold-labs/wp-plugin-bluehost#342? That one seems to focus on the sizes of individual files rather than the size of the plugin as a whole. Not necessarily a blocker for this, but it would be nice to eventually have a reusable workflow for each. Then each plugin can have a single workflow with two jobs: one for file sizes, one for plugin package size.

Hello @desrosj

I greatly appreciate your feedback.

I have answered to all suggestions and made the necessary commits.

Regarding your question: Following the comment in Jira, I have created this workflow specifically to measure the total size of the plugin. I believe both workflows are related, and it would be a great idea to add them as reusable workflows and then use them in combination.

Please let me know if there is anything else to review.

Thanks you for your time.

[wpscholar]

@crodriguezbrito - Can you look through the security issues and review the two unresolved comments from Jon?

[cursor]

This is the final PR Bugbot will review for you during this billing cycle

Your free Bugbot reviews will reset on December 23

Details

You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[wpscholar]

@desrosj - Since you requested changes, you'll have to re-review this anyway. Do you mind making a pass at it?

[cursor]

This PR is being reviewed by Cursor Bugbot

Details

You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[cursor]

Bug: Fork PRs skip base branch build causing incorrect comparison

The condition github.event.pull_request.head.repo.full_name == github.repository prevents npm install and build for the base branch when PRs come from forks. However, the base branch is always in the main repository (not the fork), so this check is misapplied. For fork PRs, the workflow will compare the PR branch (with built JavaScript) against the base branch (without built JavaScript), producing invalid size comparisons. The condition on these steps should match the other base branch steps which only check github.event_name == 'pull_request'.

Additional Locations (1)

• .github/workflows/reusable-plugin-size-audit.yml#L156-L159

 

[cursor]

Bug: Comment search misses existing comments on busy PRs

The listComments API call doesn't specify pagination parameters, so it only retrieves the first page (default 30 comments). If the PR has more than 30 comments and the bot's existing audit comment isn't among the most recent 30, the find search won't locate it. This causes duplicate comments to be created on subsequent workflow runs for PRs with active discussion.

 

[desrosj]

Sorry for the delay getting back to this! I have a few small suggestions here. But I think it should be good to give a try!

[desrosj]

Suggested change

	MAX_INCREASE_PERCENT: ${{ env.MAX_SIZE_INCREASE_PERCENT }}
	MAX_SIZE_INCREASE_PERCENT: ${{ env.MAX_SIZE_INCREASE_PERCENT }}

To be consistent with the next step.

[desrosj]

Suggested change

	echo "::error::Plugin size increased by $PERCENT_INCREASE%, which exceeds the maximum allowed increase of $MAX_INCREASE_PERCENT%."
	echo "::error::Plugin size increased by $PERCENT_INCREASE%, which exceeds the maximum allowed increase of $MAX_SIZE_INCREASE_PERCENT%."

To match above change.

[desrosj]

While environment variables can change, inputs cannot. What about moving the MAX_SIZE_INCREASE_PERCENT and MAX_ZIP_SIZE_MB to workflow inputs instead of hard coding them as environment variables at the workflow level? The current values can be used as the defaults and the inputs can be made optional.

This would allow a given repo to adjust these thresholds if they desire while also closing these potentially insecure paths. Though it's not clear to me why this pattern is triggering an alert on this step but not others where env.* is also being used, this seems like a reasonable adjustment to prevent this.