Skip to content

Action size: Minify JS bundle on release branches#3920

Draft
henrymercer wants to merge 1 commit into
mainfrom
henrymercer/minify-bundles
Draft

Action size: Minify JS bundle on release branches#3920
henrymercer wants to merge 1 commit into
mainfrom
henrymercer/minify-bundles

Conversation

@henrymercer
Copy link
Copy Markdown
Contributor

@henrymercer henrymercer commented May 20, 2026

Minify the JS bundle on release branches to reduce the size of the .tar.gz'd Action checkout by a further ~20%.

  • Only minify on release branches to avoid most PRs conflicting with each other, reducing development velocity.
  • Handle the names of branches created by release automation to make the right minification decision when we're running as part of release automation.
  • Update the release automation to always rebuild the Action, unless there are merge conflicts.

Risk assessment

For internal use only. Please select the risk level of this change:

  • Low risk: Changes are fully under feature flags, or have been fully tested and validated in pre-production environments and are highly observable, or are documentation or test only.
  • High risk: Changes are not fully under feature flags, have limited visibility and/or cannot be tested outside of production.

Which use cases does this change impact?

Workflow types:

  • Advanced setup - Impacts users who have custom CodeQL workflows.
  • Managed - Impacts users with dynamic workflows (Default Setup, Code Quality, ...).

Products:

  • Code Scanning - The changes impact analyses when analysis-kinds: code-scanning.
  • Code Quality - The changes impact analyses when analysis-kinds: code-quality.
  • Other first-party - The changes impact other first-party analyses.
  • Third-party analyses - The changes affect the upload-sarif action.

Environments:

  • Dotcom - Impacts CodeQL workflows on github.com and/or GitHub Enterprise Cloud with Data Residency.
  • GHES - Impacts CodeQL workflows on GitHub Enterprise Server.
  • Testing/None - This change does not impact any CodeQL workflows in production.

How did/will you validate this change?

  • Test repository - This change will be tested on a test repository before merging.
  • Unit tests - I am depending on unit test coverage (i.e. tests in .test.ts files).
  • End-to-end tests - I am depending on PR checks (i.e. tests in pr-checks).
  • Other - Please provide details.
  • None - I am not validating these changes.

If something goes wrong after this change is released, what are the mitigation and rollback strategies?

  • Feature flags - All new or changed code paths can be fully disabled with corresponding feature flags.
  • Rollback - Change can only be disabled by rolling back the release or releasing a new version with a fix.
  • Development/testing only - This change cannot cause any failures in production.
  • Other - Please provide details.

How will you know if something goes wrong after this change is released?

  • Telemetry - I rely on existing telemetry or have made changes to the telemetry.
    • Dashboards - I will watch relevant dashboards for issues after the release. Consider whether this requires this change to be released at a particular time rather than as part of a regular release.
    • Alerts - New or existing monitors will trip if something goes wrong with this change.
  • Other - Please provide details.

Are there any special considerations for merging or releasing this change?

  • No special considerations - This change can be merged at any time.
  • Special considerations - This change should only be merged once certain preconditions are met. Please provide details of those or link to this PR from an internal issue.

Merge / deployment checklist

  • Confirm this change is backwards compatible with existing workflows.
  • Consider adding a changelog entry for this change.
  • Confirm the readme and docs have been updated if necessary.

@github-actions github-actions Bot added the size/S Should be easy to review label May 20, 2026
github-advanced-security[bot]
github-advanced-security AI found potential problems May 20, 2026
View reviewed changes
Comment thread build.mjs

// If we don't seem to be running as part of the release automation, then only minify if we're on
// a release branch.
const refName = process.env.GITHUB_REF_NAME || localBranch;
@henrymercer henrymercer requested a review from Copilot May 20, 2026 16:27
Copilot AI reviewed May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR reduces the size of the built JavaScript shipped on release branches by enabling esbuild minification when building for releases/v* (and related release-automation branches), while keeping main builds unminified to avoid high-churn bundle conflicts in day-to-day development.

Changes:

  • Add release-branch-aware minification logic to build.mjs (with an env override).
  • Update release automation to rebuild the Action whenever the merge is conflict-free.
  • Document the behavior change in the changelog.
Show a summary per file
File Description
CHANGELOG.md Adds a release note describing minified bundles on release branches.
build.mjs Detects release/release-automation branches and conditionally enables esbuild minification.
.github/update-release-branch.py Ensures release automation rebuilds the Action on conflict-free merges so minified artifacts are produced when appropriate.

Copilot's findings

  • Files reviewed: 3/3 changed files
  • Comments generated: 3

Comment thread build.mjs
function shouldMinify() {
const override = process.env.CODEQL_ACTION_MINIFY;
if (override === "true") return true;
if (override === "false") return false;
Comment thread build.mjs
Comment on lines +53 to +56
return execFileSync("git", ["rev-parse", "--abbrev-ref", "HEAD"], {
encoding: "utf-8",
stdio: ["pipe", "pipe", "ignore"],
}).trim();
Comment thread .github/update-release-branch.py
# For backports, the only source-level change vs the source branch is the new version number,
# so we just need to refresh the version embedded in `lib/`.
run_command('npm', 'ci')
# We only expect changes to the JavaScript output, rebuilding e.g. the PR checks is unnecessary.
@mbg
Copy link
Copy Markdown
Member

mbg commented May 20, 2026

High-level comment: consider how minification may affect stack traces and whether that is worth an extra 20% reduction in size.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

size/S Should be easy to review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@henrymercer @mbg @github-advanced-security