Self-hosted PyPI download badge service that winnows CI traffic out of download counts.
Project description
pypi-winnow-downloads
Self-hosted PyPI download badge service that winnows CI traffic out of download
counts. Produces shields.io-compatible endpoint
badges filtered by BigQuery's details.ci flag and an interactive-installer
allowlist (pip, uv, poetry, pdm, pipenv, pipx) — more honest than
any existing alternative for small or young Python packages.
Eating our own dogfood — the download-count badge in the row above and the breakdown below are produced by this project itself; the reference deployment at
pypi-badges.intfar.comrefreshes them daily via systemd timer. Both views track the samepypi-winnow-downloadspackage over a 30-day non-CI window.
By installer (30d, non-CI):
What these badges actually count
The hero badge — labelled pip*/uv/poetry/pdm (Nd) (N=30 in the reference
deployment, configurable per-package via window_days) — counts downloads that meet
all of these conditions over the configured rolling window:
details.ci != True(BigQuery's CI-detection flag is not set)details.installer.nameis one of the interactive Python packaging tools:pip,uv,poetry,pdm,pipenv, orpipx(the asterisk inpip*coverspipitself pluspipenvandpipx, which delegate to pip and inherit its installer telemetry pattern)
Excluded (the things that inflate other badges):
- Mirrors:
bandersnatch,Nexus,devpi,Artifactory,z3c.pypimirror - Browser fetches via the PyPI web UI (
installer_name == "Browser") - Generic HTTP UAs used by scrapers and scanners (
requests,curl, etc.) - Unknown installer (
installer_name == "None") — uncategorised traffic that in practice is dominated by automated scanners
For context on how much these can dwarf real installs: at v1 deploy time, one
of the seed packages had 2,771 "non-CI" downloads in 30 days under a naïve
mirror-and-all-installers query, of which 1,325 (48%) was bandersnatch alone
and only 14 came from pip + uv + poetry + pdm. The honest signal is the 14.
The filter is fail-closed: a future pypinfo emitting a new mainstream
installer will be excluded until the allowlist in
src/pypi_winnow_downloads/collector.py is updated explicitly. That's a feature
for a project whose pitch is honesty.
Per-installer breakdown. Alongside the hero, the reference deployment also
produces one badge per installer in the allowlist (pip, pipenv, pipx,
uv, poetry, pdm) plus a pip* aggregate (pip + pipenv + pipx). Each
applies the same details.ci != True filter as the hero — so they answer
"non-CI downloads broken down by which packaging tool the user was running."
Useful for spotting installer-mix shifts (e.g., uv overtaking pip on a young
package). See Use this service for your own package
below for the per-installer URL pattern.
Install
uv tool install pypi-winnow-downloads
uv tool drops the
winnow-collect console-script onto your PATH in an isolated environment
without touching your system Python. If you don't have uv installed, plain pip
also works:
pip install pypi-winnow-downloads
The collector queries Google's public PyPI BigQuery dataset via
pypinfo, so before the first run you'll need a Google Cloud service
account JSON key. Pypinfo's
installation guide
walks the full setup (create a GCP project, enable the BigQuery API,
generate the JSON key) and recommends the broad BigQuery User role;
the narrower pair BigQuery Job User + BigQuery Data Viewer also
works and is what config.example.yaml and the reference deploy
document. Then point service.credential_file in your config at the
resulting file.
Run with a YAML config — copy
config.example.yaml
and edit:
winnow-collect --config /path/to/config.yaml
To deploy as a daily systemd timer plus a Caddy HTTPS service serving the
output directory, see
deploy/README.md.
Use this service for your own package
The reference deployment at pypi-badges.intfar.com produces eight badge
JSON files per configured package per window, all under
https://pypi-badges.intfar.com/<package>/:
| File | Label | What it counts |
|---|---|---|
downloads-30d-non-ci.json |
pip*/uv/poetry/pdm (30d) |
All six allowlisted installers summed (the v1 hero) |
installer-pip-30d-non-ci.json |
pip (30d) |
pip only |
installer-pipenv-30d-non-ci.json |
pipenv (30d) |
pipenv only |
installer-pipx-30d-non-ci.json |
pipx (30d) |
pipx only |
installer-uv-30d-non-ci.json |
uv (30d) |
uv only |
installer-poetry-30d-non-ci.json |
poetry (30d) |
poetry only |
installer-pdm-30d-non-ci.json |
pdm (30d) |
pdm only |
installer-pip-family-30d-non-ci.json |
pip* (30d) |
pip + pipenv + pipx aggregate |
All files exclude CI traffic (BigQuery's details.ci != True). Each is a
shields.io endpoint badge JSON.
To embed any of these in your own README, wrap the file URL in shields.io's
/endpoint?url= form, URL-encoding the inner URL (/ becomes %2F, :
becomes %3A):
[](https://pypi.org/project/<your-package>/)
Replace <your-package> with your PyPI package name. The same template
works for any of the eight files — substitute the filename. The window
length (30d in the examples) reflects the reference deployment's
window_days: 30 setting; if you self-host, your own deployment's
window_days substitutes here.
To get your package added to the reference deployment's config.yaml,
open an issue
or run your own collector — see
deploy/README.md.
Status
Beta as of v0.2.0. Self-hosted reference deployment running at
pypi-badges.intfar.com since 2026-04-25, producing daily badges for
four target packages (the three seed packages in config.example.yaml
plus pypi-winnow-downloads itself for the dogfood badge). Test suite
holds 100% line coverage on src/. The v1 hero badge JSON shape and
filename are stable and won't change before 1.0; new badge files may
be added (the v2 installer-mix breakdown landed in v0.2.0 alongside
the unchanged hero). Expect occasional breaking changes elsewhere in
the 0.x series — the Changed/Removed sections of CHANGELOG.md
are where to look on each release.
Acknowledgments
This project rests on three pieces of upstream work:
- pypinfo by Ofek Lev: the BigQuery
query layer for the PyPI download dataset.
pypi-winnow-downloadsis essentially a filter and badge writer wrapped around pypinfo. - shields.io renders the endpoint badges. The collector emits the JSON shape that shields.io's endpoint badge consumes, so badges inherit its caching, theming, and SVG rendering.
- The
bigquery-public-data.pypi.file_downloadsdataset, hosted by Google as a public BigQuery dataset and populated by the PyPI Linehaul pipeline, is the underlying data source. Without it, no installer-level breakdown of PyPI downloads would be possible.
Designed and built collaboratively with
Claude Code (Anthropic) across
planning, implementation, review, and QA. Significant subsystems (the
pypinfo XDG_DATA_HOME isolation, the sys.executable-based pypinfo
resolver, the installer-allowlist filter, the deploy/ examples)
emerged through that planner / Dev / QA loop.
License
Licensed under the Apache License, Version 2.0.
© 2026 Chris Means.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file pypi_winnow_downloads-0.2.0.tar.gz.
File metadata
- Download URL: pypi_winnow_downloads-0.2.0.tar.gz
- Upload date:
- Size: 156.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
872d2cd7e9228acac3322e98d02908d8ebaaf75714de2d04b35663456071b1e0
|
|
| MD5 |
8ac8bd3df49973dae5f77bac83fb2940
|
|
| BLAKE2b-256 |
87932e936b0f5a25923827b1b4f8f4ef735ac811054b77e39dd53df792df52c5
|
Provenance
The following attestation bundles were made for pypi_winnow_downloads-0.2.0.tar.gz:
Publisher:
publish.yml on cmeans/pypi-winnow-downloads
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
pypi_winnow_downloads-0.2.0.tar.gz -
Subject digest:
872d2cd7e9228acac3322e98d02908d8ebaaf75714de2d04b35663456071b1e0 - Sigstore transparency entry: 1403487057
- Sigstore integration time:
-
Permalink:
cmeans/pypi-winnow-downloads@35aca51213e6caa88f686429fcd04f83dad9af0c -
Branch / Tag:
refs/tags/v0.2.0 - Owner: https://github.com/cmeans
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@35aca51213e6caa88f686429fcd04f83dad9af0c -
Trigger Event:
push
-
Statement type:
File details
Details for the file pypi_winnow_downloads-0.2.0-py3-none-any.whl.
File metadata
- Download URL: pypi_winnow_downloads-0.2.0-py3-none-any.whl
- Upload date:
- Size: 18.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
32d8d87713ca835537381b4b0c8d3ba8aba576c5f800ae03f80e50c9f0023dc8
|
|
| MD5 |
87d4e8451ea56001824333392b20c15b
|
|
| BLAKE2b-256 |
c5928d8bced4ec971218ad69e2dac1b8df77ce7160b4f7090532c088030ab852
|
Provenance
The following attestation bundles were made for pypi_winnow_downloads-0.2.0-py3-none-any.whl:
Publisher:
publish.yml on cmeans/pypi-winnow-downloads
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
pypi_winnow_downloads-0.2.0-py3-none-any.whl -
Subject digest:
32d8d87713ca835537381b4b0c8d3ba8aba576c5f800ae03f80e50c9f0023dc8 - Sigstore transparency entry: 1403487167
- Sigstore integration time:
-
Permalink:
cmeans/pypi-winnow-downloads@35aca51213e6caa88f686429fcd04f83dad9af0c -
Branch / Tag:
refs/tags/v0.2.0 - Owner: https://github.com/cmeans
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@35aca51213e6caa88f686429fcd04f83dad9af0c -
Trigger Event:
push
-
Statement type: