Skip to content

feat(ci): harden shipped workflow templates — caching, timeouts, concurrency, SHA pins#887

Closed
diberry wants to merge 1 commit into
devfrom
squad/886-ci-template-overhaul
Closed

feat(ci): harden shipped workflow templates — caching, timeouts, concurrency, SHA pins#887
diberry wants to merge 1 commit into
devfrom
squad/886-ci-template-overhaul

Conversation

@diberry

@diberry diberry commented Apr 6, 2026

Copy link
Copy Markdown
Contributor

Overhauls all 11 shipped GitHub Actions workflow templates for downstream consumer repos. Floating action tags, unbounded jobs, and credential exposure were the core problems.

Performance

  • cache: npm added to all setup-node steps (~2-5 min saved per run)
  • timeout-minutes on every job (10/15/20 min tiers by job weight)
  • Workflow-level concurrency groups with cancel-in-progress to kill stale runs

Supply Chain

  • All 26 action references SHA-pinned (zero floating tags remain)
  • contents: write workflows (release, insider-release, promote) prioritized first

Token Safety

  • persist-credentials: false on all read-only checkouts
  • COPILOT_ASSIGN_TOKEN documented as fine-grained PAT requiring Issues: Write
  • Removed unsafe || $GITHUB_TOKEN fallback in heartbeat
  • id-token: write scoped to deploy job only in squad-docs.yml
  • HAS_COPILOT_TOKEN guard added to squad-issue-assign.yml — Copilot assign step skips gracefully when PAT is not configured (mirrors heartbeat pattern)

Reliability

  • Bot-loop guards on label-triggered workflows
  • workflow_dispatch added to squad-ci.yml for manual reruns
  • All changes mirrored byte-for-byte across canonical (.squad-templates/) and package mirror locations

@github-actions

github-actions Bot commented Apr 6, 2026

Copy link
Copy Markdown
Contributor

🟠 Impact Analysis — PR #887

Risk tier: 🟠 HIGH

📊 Summary

Metric Count
Files changed 45
Files added 1
Files modified 44
Files deleted 0
Modules touched 4

🎯 Risk Factors

  • 45 files changed (21-50 → HIGH)
  • 4 modules touched (2-4 → MEDIUM)

📦 Modules Affected

root (12 files)
  • .changeset/ci-template-overhaul.md
  • templates/workflows/squad-ci.yml
  • templates/workflows/squad-docs.yml
  • templates/workflows/squad-heartbeat.yml
  • templates/workflows/squad-insider-release.yml
  • templates/workflows/squad-issue-assign.yml
  • templates/workflows/squad-label-enforce.yml
  • templates/workflows/squad-preview.yml
  • templates/workflows/squad-promote.yml
  • templates/workflows/squad-release.yml
  • templates/workflows/squad-triage.yml
  • templates/workflows/sync-squad-labels.yml
squad-cli (11 files)
  • packages/squad-cli/templates/workflows/squad-ci.yml
  • packages/squad-cli/templates/workflows/squad-docs.yml
  • packages/squad-cli/templates/workflows/squad-heartbeat.yml
  • packages/squad-cli/templates/workflows/squad-insider-release.yml
  • packages/squad-cli/templates/workflows/squad-issue-assign.yml
  • packages/squad-cli/templates/workflows/squad-label-enforce.yml
  • packages/squad-cli/templates/workflows/squad-preview.yml
  • packages/squad-cli/templates/workflows/squad-promote.yml
  • packages/squad-cli/templates/workflows/squad-release.yml
  • packages/squad-cli/templates/workflows/squad-triage.yml
  • packages/squad-cli/templates/workflows/sync-squad-labels.yml
squad-sdk (11 files)
  • packages/squad-sdk/templates/workflows/squad-ci.yml
  • packages/squad-sdk/templates/workflows/squad-docs.yml
  • packages/squad-sdk/templates/workflows/squad-heartbeat.yml
  • packages/squad-sdk/templates/workflows/squad-insider-release.yml
  • packages/squad-sdk/templates/workflows/squad-issue-assign.yml
  • packages/squad-sdk/templates/workflows/squad-label-enforce.yml
  • packages/squad-sdk/templates/workflows/squad-preview.yml
  • packages/squad-sdk/templates/workflows/squad-promote.yml
  • packages/squad-sdk/templates/workflows/squad-release.yml
  • packages/squad-sdk/templates/workflows/squad-triage.yml
  • packages/squad-sdk/templates/workflows/sync-squad-labels.yml
templates (11 files)
  • .squad-templates/workflows/squad-ci.yml
  • .squad-templates/workflows/squad-docs.yml
  • .squad-templates/workflows/squad-heartbeat.yml
  • .squad-templates/workflows/squad-insider-release.yml
  • .squad-templates/workflows/squad-issue-assign.yml
  • .squad-templates/workflows/squad-label-enforce.yml
  • .squad-templates/workflows/squad-preview.yml
  • .squad-templates/workflows/squad-promote.yml
  • .squad-templates/workflows/squad-release.yml
  • .squad-templates/workflows/squad-triage.yml
  • .squad-templates/workflows/sync-squad-labels.yml

This report is generated automatically for every PR. See #733 for details.

@github-actions

github-actions Bot commented Apr 6, 2026

Copy link
Copy Markdown
Contributor

🏗️ Architectural Review

⚠️ Architectural review: 1 warning(s).

Severity Category Finding Files
🟡 warning sweeping-refactor This PR touches 45 files (45 modified/added, 0 deleted). Large PRs are harder to review — consider splitting if possible.

Automated architectural review — informational only.

@diberry diberry force-pushed the squad/886-ci-template-overhaul branch from c114b3e to 1b7feef Compare April 6, 2026 21:29
@diberry diberry marked this pull request as ready for review April 6, 2026 21:48
Copilot AI review requested due to automatic review settings April 6, 2026 21:48
@github-actions

github-actions Bot commented Apr 6, 2026

Copy link
Copy Markdown
Contributor

🛫 PR Readiness Check

ℹ️ This comment updates on each push. Last checked: commit 697274a

PR Scope: 🔧 Infrastructure

⚠️ 4 item(s) to address before review

Status Check Details
Single commit 1 commit — clean history
Not in draft Ready for review
Branch up to date dev is 6 commit(s) ahead — rebase recommended
Copilot review No Copilot review yet — it may still be processing
Changeset present Changeset file found
Scope clean No .squad/ or docs/proposals/ files
No merge conflicts No merge conflicts
Copilot threads resolved 1 unresolved Copilot thread(s) — fix and resolve before merging
CI passing 2 check(s) still running
Issue linked Issue reference found
Protected files No protected bootstrap files changed

Files Changed (45 files, +526 −128)

File +/−
.changeset/ci-template-overhaul.md +6 −0
.squad-templates/workflows/squad-ci.yml +29 −2
.squad-templates/workflows/squad-docs.yml +9 −5
.squad-templates/workflows/squad-heartbeat.yml +17 −6
.squad-templates/workflows/squad-insider-release.yml +8 −2
.squad-templates/workflows/squad-issue-assign.yml +16 −4
.squad-templates/workflows/squad-label-enforce.yml +10 −2
.squad-templates/workflows/squad-preview.yml +8 −2
.squad-templates/workflows/squad-promote.yml +8 −2
.squad-templates/workflows/squad-release.yml +8 −2
.squad-templates/workflows/squad-triage.yml +10 −3
.squad-templates/workflows/sync-squad-labels.yml +7 −2
packages/squad-cli/templates/workflows/squad-ci.yml +29 −2
packages/squad-cli/templates/workflows/squad-docs.yml +9 −5
packages/squad-cli/templates/workflows/squad-heartbeat.yml +17 −6
packages/squad-cli/templates/workflows/squad-insider-release.yml +8 −2
packages/squad-cli/templates/workflows/squad-issue-assign.yml +16 −4
packages/squad-cli/templates/workflows/squad-label-enforce.yml +10 −2
packages/squad-cli/templates/workflows/squad-preview.yml +8 −2
packages/squad-cli/templates/workflows/squad-promote.yml +8 −2
packages/squad-cli/templates/workflows/squad-release.yml +8 −2
packages/squad-cli/templates/workflows/squad-triage.yml +10 −3
packages/squad-cli/templates/workflows/sync-squad-labels.yml +7 −2
packages/squad-sdk/templates/workflows/squad-ci.yml +29 −2
packages/squad-sdk/templates/workflows/squad-docs.yml +9 −5
packages/squad-sdk/templates/workflows/squad-heartbeat.yml +17 −6
packages/squad-sdk/templates/workflows/squad-insider-release.yml +8 −2
packages/squad-sdk/templates/workflows/squad-issue-assign.yml +16 −4
packages/squad-sdk/templates/workflows/squad-label-enforce.yml +10 −2
packages/squad-sdk/templates/workflows/squad-preview.yml +8 −2
packages/squad-sdk/templates/workflows/squad-promote.yml +8 −2
packages/squad-sdk/templates/workflows/squad-release.yml +8 −2
packages/squad-sdk/templates/workflows/squad-triage.yml +10 −3
packages/squad-sdk/templates/workflows/sync-squad-labels.yml +7 −2
templates/workflows/squad-ci.yml +29 −2
templates/workflows/squad-docs.yml +9 −5
templates/workflows/squad-heartbeat.yml +17 −6
templates/workflows/squad-insider-release.yml +8 −2
templates/workflows/squad-issue-assign.yml +16 −4
templates/workflows/squad-label-enforce.yml +10 −2
templates/workflows/squad-preview.yml +8 −2
templates/workflows/squad-promote.yml +8 −2
templates/workflows/squad-release.yml +8 −2
templates/workflows/squad-triage.yml +10 −3
templates/workflows/sync-squad-labels.yml +7 −2

Total: +526 −128


This check runs automatically on every push. Fix any ❌ items and push again.
See CONTRIBUTING.md and PR Requirements for details.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates Squad’s shipped GitHub Actions workflow templates to reduce CI runtime and improve safety for downstream consumers by adding caching, timeouts, concurrency controls, bot-loop guards, and SHA-pinning action references across all mirrored template locations.

Changes:

  • Add timeout-minutes + workflow-level concurrency to cap runaway jobs and reduce duplicate runs.
  • SHA-pin all GitHub Actions used by templates; add cache: npm to setup-node workflows.
  • Harden token usage/docs (e.g., COPILOT_ASSIGN_TOKEN notes, remove unsafe fallback in heartbeat) and add bot-loop guards for label-triggered workflows.

Reviewed changes

Copilot reviewed 45 out of 45 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
templates/workflows/sync-squad-labels.yml Add concurrency + timeouts; SHA-pin actions.
templates/workflows/squad-triage.yml Add concurrency + timeouts; bot guard; SHA-pin; disable persisted checkout creds.
templates/workflows/squad-release.yml Add concurrency + timeouts; SHA-pin; add npm cache.
templates/workflows/squad-promote.yml Add concurrency + timeouts; SHA-pin checkout.
templates/workflows/squad-preview.yml Add concurrency + timeouts; SHA-pin; add npm cache.
templates/workflows/squad-label-enforce.yml Add concurrency + timeouts; bot guard; SHA-pin; disable persisted checkout creds.
templates/workflows/squad-issue-assign.yml Add concurrency + timeouts; bot guard; SHA-pin; document COPILOT_ASSIGN_TOKEN.
templates/workflows/squad-insider-release.yml Add concurrency + timeouts; SHA-pin; add npm cache.
templates/workflows/squad-heartbeat.yml Add concurrency + timeouts; SHA-pin; remove GITHUB_TOKEN fallback for Copilot assign step.
templates/workflows/squad-docs.yml Scope id-token: write to deploy job; add timeouts; SHA-pin actions.
templates/workflows/squad-ci.yml Add workflow_dispatch; add concurrency + timeouts; add paths-filter gate; SHA-pin actions; add npm cache.
packages/squad-sdk/templates/workflows/sync-squad-labels.yml Mirror of template updates (concurrency/timeouts/SHA pin).
packages/squad-sdk/templates/workflows/squad-triage.yml Mirror of template updates (guards/timeouts/SHA pin).
packages/squad-sdk/templates/workflows/squad-release.yml Mirror of template updates (timeouts/SHA pin/npm cache).
packages/squad-sdk/templates/workflows/squad-promote.yml Mirror of template updates (timeouts/SHA pin).
packages/squad-sdk/templates/workflows/squad-preview.yml Mirror of template updates (timeouts/SHA pin/npm cache).
packages/squad-sdk/templates/workflows/squad-label-enforce.yml Mirror of template updates (guards/timeouts/SHA pin).
packages/squad-sdk/templates/workflows/squad-issue-assign.yml Mirror of template updates (guards/timeouts/SHA pin/token docs).
packages/squad-sdk/templates/workflows/squad-insider-release.yml Mirror of template updates (timeouts/SHA pin/npm cache).
packages/squad-sdk/templates/workflows/squad-heartbeat.yml Mirror of template updates (timeouts/SHA pin/token hardening).
packages/squad-sdk/templates/workflows/squad-docs.yml Mirror of template updates (scoped id-token/timeouts/SHA pin).
packages/squad-sdk/templates/workflows/squad-ci.yml Mirror of template updates (paths-filter gate/timeouts/SHA pin/npm cache).
packages/squad-cli/templates/workflows/sync-squad-labels.yml Mirror of template updates (concurrency/timeouts/SHA pin).
packages/squad-cli/templates/workflows/squad-triage.yml Mirror of template updates (guards/timeouts/SHA pin).
packages/squad-cli/templates/workflows/squad-release.yml Mirror of template updates (timeouts/SHA pin/npm cache).
packages/squad-cli/templates/workflows/squad-promote.yml Mirror of template updates (timeouts/SHA pin).
packages/squad-cli/templates/workflows/squad-preview.yml Mirror of template updates (timeouts/SHA pin/npm cache).
packages/squad-cli/templates/workflows/squad-label-enforce.yml Mirror of template updates (guards/timeouts/SHA pin).
packages/squad-cli/templates/workflows/squad-issue-assign.yml Mirror of template updates (guards/timeouts/SHA pin/token docs).
packages/squad-cli/templates/workflows/squad-insider-release.yml Mirror of template updates (timeouts/SHA pin/npm cache).
packages/squad-cli/templates/workflows/squad-heartbeat.yml Mirror of template updates (timeouts/SHA pin/token hardening).
packages/squad-cli/templates/workflows/squad-docs.yml Mirror of template updates (scoped id-token/timeouts/SHA pin).
packages/squad-cli/templates/workflows/squad-ci.yml Mirror of template updates (paths-filter gate/timeouts/SHA pin/npm cache).
.squad-templates/workflows/sync-squad-labels.yml Canonical template: concurrency/timeouts/SHA pin.
.squad-templates/workflows/squad-triage.yml Canonical template: guards/timeouts/SHA pin + persist-credentials false.
.squad-templates/workflows/squad-release.yml Canonical template: timeouts/SHA pin/npm cache.
.squad-templates/workflows/squad-promote.yml Canonical template: timeouts/SHA pin.
.squad-templates/workflows/squad-preview.yml Canonical template: timeouts/SHA pin/npm cache.
.squad-templates/workflows/squad-label-enforce.yml Canonical template: guards/timeouts/SHA pin + persist-credentials false.
.squad-templates/workflows/squad-issue-assign.yml Canonical template: guards/timeouts/SHA pin/token docs.
.squad-templates/workflows/squad-insider-release.yml Canonical template: timeouts/SHA pin/npm cache.
.squad-templates/workflows/squad-heartbeat.yml Canonical template: timeouts/SHA pin/token hardening.
.squad-templates/workflows/squad-docs.yml Canonical template: scoped id-token/timeouts/SHA pin.
.squad-templates/workflows/squad-ci.yml Canonical template: paths-filter gate/timeouts/SHA pin/npm cache.
.changeset/ci-template-overhaul.md Changeset for CLI/SDK template updates.

Comment thread .squad-templates/workflows/squad-ci.yml Outdated
Comment thread .squad-templates/workflows/squad-ci.yml Outdated
Comment thread .squad-templates/workflows/squad-docs.yml Outdated
Comment thread .squad-templates/workflows/squad-preview.yml Outdated
Comment thread .squad-templates/workflows/sync-squad-labels.yml Outdated
Comment thread .squad-templates/workflows/squad-heartbeat.yml Outdated
Comment thread .squad-templates/workflows/squad-issue-assign.yml
@diberry diberry force-pushed the squad/886-ci-template-overhaul branch from 1b7feef to 697274a Compare April 6, 2026 21:53
@diberry diberry changed the title feat(ci): CI template overhaul — performance & safety for shipped workflows feat(ci): CI template overhaul — performance & safety for shipped workflows [DO NOT MERGE] Apr 7, 2026
@diberry diberry force-pushed the squad/886-ci-template-overhaul branch from 697274a to 0b98222 Compare April 8, 2026 14:25
@diberry diberry force-pushed the squad/886-ci-template-overhaul branch from 0b98222 to 255ddd8 Compare April 8, 2026 15:56
Copilot AI changed the title feat(ci): CI template overhaul — performance & safety for shipped workflows [DO NOT MERGE] feat(ci): harden shipped workflow templates — caching, timeouts, concurrency, SHA pins Apr 8, 2026
@diberry

diberry commented Apr 8, 2026

Copy link
Copy Markdown
Contributor Author

🔍 Squad Review — Kaylee (Engineering)

# Check Status Notes
1 Changelog entry .changeset/ci-template-overhaul.md present (patch bump for squad-cli + squad-sdk)
2 Squashed to 1 commit 1 commit
3 CI green All checks pass (including Copilot review check)
4 Copilot comments resolved 7 threads — all resolved (persist-credentials fixes applied, HAS_COPILOT_TOKEN guard added)
5 No .squad/ files Clean — only .squad-templates/ files (canonical template source, expected)
6 No unrelated files All 45 files are workflow templates across 3 mirror locations + canonical source
7 Tests for changes YAML workflow templates only — no testable code
8 Not a duplicate/reversal Unique scope (closes #886)

⚠️ DO NOT MERGE — per task instruction. mergeable_state is "blocked" (likely branch protection). Review completed for tracking purposes.

Verdict: ✅ Ready to merge (when DNM hold is lifted and branch protection resolved)


Review by Squad AI team (Kaylee — Engineering) · requested by Dina Berry

@diberry diberry closed this Apr 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants