Action size: Add a PR check that comments on significant repo size changes

[henrymercer]

The compressed checkout of the repo is downloaded at the start of every CodeQL job. Significant jumps or drops are worth surfacing since they directly affect job startup time.

To that end, this PR adds a "Check repo size" PR check that streams git archive --format=tar.gz for both the PR base and HEAD, compares the compressed sizes, and posts a sticky comment when the difference is at least 10% in either direction.

[Copilot]

Pull request overview

Adds a PR workflow and TypeScript helper to measure compressed repository archive size changes between a PR and its base, then post/update a sticky PR comment when the delta is significant.

Changes:

• Added a Check repo size workflow.
• Added pr-checks/check-repo-size.ts with archive measurement, formatting, and PR comment upsert logic.
• Added unit tests and pr-check dependency updates for Sinon-based Octokit mocking.

Show a summary per file

File	Description
.github/workflows/check-repo-size.yml	Runs the repo size check on PR events.
pr-checks/check-repo-size.ts	Implements archive size measurement and sticky PR comment behavior.
pr-checks/check-repo-size.test.ts	Tests formatting, archive measurement, and comment upsert behavior.
pr-checks/package.json	Adds Sinon test dependencies for pr-checks.
package-lock.json	Updates lockfile metadata for pr-checks dependencies.

Copilot's findings

• Files reviewed: 4/5 changed files
• Comments generated: 5

[mbg]

Thanks for looking at this! Two high-level design questions:

1. Could we add this on to an existing workflow (pr-checks?) rather than adding a totally new one?
2. Rather than comparing to the PR base ref, would it make sense to compare to the latest CodeQL Action release instead?

[mbg]

Could we add this on to an existing workflow (pr-checks?) rather than adding a totally new one?

[mbg]

api-client.ts exports ApiClient (the return type of getOctokit). Why this roundabout way of getting hold of that type?

[henrymercer]

Rather than comparing to the PR base ref, would it make sense to compare to the latest CodeQL Action release instead?

With that approach, if we merge a PR that significantly increases / decreases the repo size, this would create noise on all subsequent PRs until the next release. Since we compare against the base, we'll get the comparison against the latest release when we run the release process, so we have another opportunity to see significant changes at that point.

[Copilot]

Copilot's findings

• Files reviewed: 5/6 changed files
• Comments generated: 6

[Copilot]

Copilot's findings

Comments suppressed due to low confidence (1)

.github/workflows/pr-checks.yml:225

• Because body comes from an artifact produced by PR-controlled code, passing it with gh api --field is unsafe: --field body=@path makes the CLI read a local file, so a malicious body could cause this privileged job to post files such as its environment. Use a raw field or file input only after constructing/validating the body in trusted code.

            gh api --method PATCH "repos/$GITHUB_REPOSITORY/issues/comments/$comment_id" --field body="$body"
          elif [[ "$significant" == "true" ]]; then
            echo "Creating new repo size comment."
            gh api --method POST "repos/$GITHUB_REPOSITORY/issues/$PR_NUMBER/comments" --field body="$body"

• Files reviewed: 5/5 changed files
• Comments generated: 1