feat(ci): harden shipped workflow templates — caching, timeouts, concurrency, SHA pins#887
feat(ci): harden shipped workflow templates — caching, timeouts, concurrency, SHA pins#887diberry wants to merge 1 commit into
Conversation
🟠 Impact Analysis — PR #887Risk tier: 🟠 HIGH 📊 Summary
🎯 Risk Factors
📦 Modules Affectedroot (12 files)
squad-cli (11 files)
squad-sdk (11 files)
templates (11 files)
This report is generated automatically for every PR. See #733 for details. |
🏗️ Architectural Review
Automated architectural review — informational only. |
c114b3e to
1b7feef
Compare
🛫 PR Readiness Check
PR Scope: 🔧 Infrastructure
|
| Status | Check | Details |
|---|---|---|
| ✅ | Single commit | 1 commit — clean history |
| ✅ | Not in draft | Ready for review |
| ❌ | Branch up to date | dev is 6 commit(s) ahead — rebase recommended |
| ❌ | Copilot review | No Copilot review yet — it may still be processing |
| ✅ | Changeset present | Changeset file found |
| ✅ | Scope clean | No .squad/ or docs/proposals/ files |
| ✅ | No merge conflicts | No merge conflicts |
| ❌ | Copilot threads resolved | 1 unresolved Copilot thread(s) — fix and resolve before merging |
| ❌ | CI passing | 2 check(s) still running |
| ✅ | Issue linked | Issue reference found |
| ✅ | Protected files | No protected bootstrap files changed |
Files Changed (45 files, +526 −128)
| File | +/− |
|---|---|
.changeset/ci-template-overhaul.md |
+6 −0 |
.squad-templates/workflows/squad-ci.yml |
+29 −2 |
.squad-templates/workflows/squad-docs.yml |
+9 −5 |
.squad-templates/workflows/squad-heartbeat.yml |
+17 −6 |
.squad-templates/workflows/squad-insider-release.yml |
+8 −2 |
.squad-templates/workflows/squad-issue-assign.yml |
+16 −4 |
.squad-templates/workflows/squad-label-enforce.yml |
+10 −2 |
.squad-templates/workflows/squad-preview.yml |
+8 −2 |
.squad-templates/workflows/squad-promote.yml |
+8 −2 |
.squad-templates/workflows/squad-release.yml |
+8 −2 |
.squad-templates/workflows/squad-triage.yml |
+10 −3 |
.squad-templates/workflows/sync-squad-labels.yml |
+7 −2 |
packages/squad-cli/templates/workflows/squad-ci.yml |
+29 −2 |
packages/squad-cli/templates/workflows/squad-docs.yml |
+9 −5 |
packages/squad-cli/templates/workflows/squad-heartbeat.yml |
+17 −6 |
packages/squad-cli/templates/workflows/squad-insider-release.yml |
+8 −2 |
packages/squad-cli/templates/workflows/squad-issue-assign.yml |
+16 −4 |
packages/squad-cli/templates/workflows/squad-label-enforce.yml |
+10 −2 |
packages/squad-cli/templates/workflows/squad-preview.yml |
+8 −2 |
packages/squad-cli/templates/workflows/squad-promote.yml |
+8 −2 |
packages/squad-cli/templates/workflows/squad-release.yml |
+8 −2 |
packages/squad-cli/templates/workflows/squad-triage.yml |
+10 −3 |
packages/squad-cli/templates/workflows/sync-squad-labels.yml |
+7 −2 |
packages/squad-sdk/templates/workflows/squad-ci.yml |
+29 −2 |
packages/squad-sdk/templates/workflows/squad-docs.yml |
+9 −5 |
packages/squad-sdk/templates/workflows/squad-heartbeat.yml |
+17 −6 |
packages/squad-sdk/templates/workflows/squad-insider-release.yml |
+8 −2 |
packages/squad-sdk/templates/workflows/squad-issue-assign.yml |
+16 −4 |
packages/squad-sdk/templates/workflows/squad-label-enforce.yml |
+10 −2 |
packages/squad-sdk/templates/workflows/squad-preview.yml |
+8 −2 |
packages/squad-sdk/templates/workflows/squad-promote.yml |
+8 −2 |
packages/squad-sdk/templates/workflows/squad-release.yml |
+8 −2 |
packages/squad-sdk/templates/workflows/squad-triage.yml |
+10 −3 |
packages/squad-sdk/templates/workflows/sync-squad-labels.yml |
+7 −2 |
templates/workflows/squad-ci.yml |
+29 −2 |
templates/workflows/squad-docs.yml |
+9 −5 |
templates/workflows/squad-heartbeat.yml |
+17 −6 |
templates/workflows/squad-insider-release.yml |
+8 −2 |
templates/workflows/squad-issue-assign.yml |
+16 −4 |
templates/workflows/squad-label-enforce.yml |
+10 −2 |
templates/workflows/squad-preview.yml |
+8 −2 |
templates/workflows/squad-promote.yml |
+8 −2 |
templates/workflows/squad-release.yml |
+8 −2 |
templates/workflows/squad-triage.yml |
+10 −3 |
templates/workflows/sync-squad-labels.yml |
+7 −2 |
Total: +526 −128
This check runs automatically on every push. Fix any ❌ items and push again.
See CONTRIBUTING.md and PR Requirements for details.
There was a problem hiding this comment.
Pull request overview
Updates Squad’s shipped GitHub Actions workflow templates to reduce CI runtime and improve safety for downstream consumers by adding caching, timeouts, concurrency controls, bot-loop guards, and SHA-pinning action references across all mirrored template locations.
Changes:
- Add
timeout-minutes+ workflow-levelconcurrencyto cap runaway jobs and reduce duplicate runs. - SHA-pin all GitHub Actions used by templates; add
cache: npmtosetup-nodeworkflows. - Harden token usage/docs (e.g., COPILOT_ASSIGN_TOKEN notes, remove unsafe fallback in heartbeat) and add bot-loop guards for label-triggered workflows.
Reviewed changes
Copilot reviewed 45 out of 45 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| templates/workflows/sync-squad-labels.yml | Add concurrency + timeouts; SHA-pin actions. |
| templates/workflows/squad-triage.yml | Add concurrency + timeouts; bot guard; SHA-pin; disable persisted checkout creds. |
| templates/workflows/squad-release.yml | Add concurrency + timeouts; SHA-pin; add npm cache. |
| templates/workflows/squad-promote.yml | Add concurrency + timeouts; SHA-pin checkout. |
| templates/workflows/squad-preview.yml | Add concurrency + timeouts; SHA-pin; add npm cache. |
| templates/workflows/squad-label-enforce.yml | Add concurrency + timeouts; bot guard; SHA-pin; disable persisted checkout creds. |
| templates/workflows/squad-issue-assign.yml | Add concurrency + timeouts; bot guard; SHA-pin; document COPILOT_ASSIGN_TOKEN. |
| templates/workflows/squad-insider-release.yml | Add concurrency + timeouts; SHA-pin; add npm cache. |
| templates/workflows/squad-heartbeat.yml | Add concurrency + timeouts; SHA-pin; remove GITHUB_TOKEN fallback for Copilot assign step. |
| templates/workflows/squad-docs.yml | Scope id-token: write to deploy job; add timeouts; SHA-pin actions. |
| templates/workflows/squad-ci.yml | Add workflow_dispatch; add concurrency + timeouts; add paths-filter gate; SHA-pin actions; add npm cache. |
| packages/squad-sdk/templates/workflows/sync-squad-labels.yml | Mirror of template updates (concurrency/timeouts/SHA pin). |
| packages/squad-sdk/templates/workflows/squad-triage.yml | Mirror of template updates (guards/timeouts/SHA pin). |
| packages/squad-sdk/templates/workflows/squad-release.yml | Mirror of template updates (timeouts/SHA pin/npm cache). |
| packages/squad-sdk/templates/workflows/squad-promote.yml | Mirror of template updates (timeouts/SHA pin). |
| packages/squad-sdk/templates/workflows/squad-preview.yml | Mirror of template updates (timeouts/SHA pin/npm cache). |
| packages/squad-sdk/templates/workflows/squad-label-enforce.yml | Mirror of template updates (guards/timeouts/SHA pin). |
| packages/squad-sdk/templates/workflows/squad-issue-assign.yml | Mirror of template updates (guards/timeouts/SHA pin/token docs). |
| packages/squad-sdk/templates/workflows/squad-insider-release.yml | Mirror of template updates (timeouts/SHA pin/npm cache). |
| packages/squad-sdk/templates/workflows/squad-heartbeat.yml | Mirror of template updates (timeouts/SHA pin/token hardening). |
| packages/squad-sdk/templates/workflows/squad-docs.yml | Mirror of template updates (scoped id-token/timeouts/SHA pin). |
| packages/squad-sdk/templates/workflows/squad-ci.yml | Mirror of template updates (paths-filter gate/timeouts/SHA pin/npm cache). |
| packages/squad-cli/templates/workflows/sync-squad-labels.yml | Mirror of template updates (concurrency/timeouts/SHA pin). |
| packages/squad-cli/templates/workflows/squad-triage.yml | Mirror of template updates (guards/timeouts/SHA pin). |
| packages/squad-cli/templates/workflows/squad-release.yml | Mirror of template updates (timeouts/SHA pin/npm cache). |
| packages/squad-cli/templates/workflows/squad-promote.yml | Mirror of template updates (timeouts/SHA pin). |
| packages/squad-cli/templates/workflows/squad-preview.yml | Mirror of template updates (timeouts/SHA pin/npm cache). |
| packages/squad-cli/templates/workflows/squad-label-enforce.yml | Mirror of template updates (guards/timeouts/SHA pin). |
| packages/squad-cli/templates/workflows/squad-issue-assign.yml | Mirror of template updates (guards/timeouts/SHA pin/token docs). |
| packages/squad-cli/templates/workflows/squad-insider-release.yml | Mirror of template updates (timeouts/SHA pin/npm cache). |
| packages/squad-cli/templates/workflows/squad-heartbeat.yml | Mirror of template updates (timeouts/SHA pin/token hardening). |
| packages/squad-cli/templates/workflows/squad-docs.yml | Mirror of template updates (scoped id-token/timeouts/SHA pin). |
| packages/squad-cli/templates/workflows/squad-ci.yml | Mirror of template updates (paths-filter gate/timeouts/SHA pin/npm cache). |
| .squad-templates/workflows/sync-squad-labels.yml | Canonical template: concurrency/timeouts/SHA pin. |
| .squad-templates/workflows/squad-triage.yml | Canonical template: guards/timeouts/SHA pin + persist-credentials false. |
| .squad-templates/workflows/squad-release.yml | Canonical template: timeouts/SHA pin/npm cache. |
| .squad-templates/workflows/squad-promote.yml | Canonical template: timeouts/SHA pin. |
| .squad-templates/workflows/squad-preview.yml | Canonical template: timeouts/SHA pin/npm cache. |
| .squad-templates/workflows/squad-label-enforce.yml | Canonical template: guards/timeouts/SHA pin + persist-credentials false. |
| .squad-templates/workflows/squad-issue-assign.yml | Canonical template: guards/timeouts/SHA pin/token docs. |
| .squad-templates/workflows/squad-insider-release.yml | Canonical template: timeouts/SHA pin/npm cache. |
| .squad-templates/workflows/squad-heartbeat.yml | Canonical template: timeouts/SHA pin/token hardening. |
| .squad-templates/workflows/squad-docs.yml | Canonical template: scoped id-token/timeouts/SHA pin. |
| .squad-templates/workflows/squad-ci.yml | Canonical template: paths-filter gate/timeouts/SHA pin/npm cache. |
| .changeset/ci-template-overhaul.md | Changeset for CLI/SDK template updates. |
1b7feef to
697274a
Compare
697274a to
0b98222
Compare
…kflows [DO NOT MERGE]
0b98222 to
255ddd8
Compare
🔍 Squad Review — Kaylee (Engineering)
Verdict: ✅ Ready to merge (when DNM hold is lifted and branch protection resolved) Review by Squad AI team (Kaylee — Engineering) · requested by Dina Berry |
Overhauls all 11 shipped GitHub Actions workflow templates for downstream consumer repos. Floating action tags, unbounded jobs, and credential exposure were the core problems.
Performance
cache: npmadded to allsetup-nodesteps (~2-5 min saved per run)timeout-minuteson every job (10/15/20 min tiers by job weight)concurrencygroups withcancel-in-progressto kill stale runsSupply Chain
contents: writeworkflows (release, insider-release, promote) prioritized firstToken Safety
persist-credentials: falseon all read-only checkoutsCOPILOT_ASSIGN_TOKENdocumented as fine-grained PAT requiringIssues: Write|| $GITHUB_TOKENfallback in heartbeatid-token: writescoped to deploy job only insquad-docs.ymlHAS_COPILOT_TOKENguard added tosquad-issue-assign.yml— Copilot assign step skips gracefully when PAT is not configured (mirrors heartbeat pattern)Reliability
workflow_dispatchadded tosquad-ci.ymlfor manual reruns.squad-templates/) and package mirror locations