Joshua Shay Kricheli NeuroSymbolic AI
v2 v1

Release · v2.17.2

Harden CI/CD and drop decorative graph jobs

ci: harden CI/CD and drop decorative graph jobs

ci v2.17.2 June 23, 2026 Claude 83d9248

Details

- Remove the no-op jobs (ci-start, python-done, supabase-done) that existed
  only to shape the Actions graph; real jobs now fan out in parallel directly.
- Add a least-privilege top-level 'permissions: contents: read'; the deploy
  job keeps its own pages/id-token write scopes.
- Add per-job timeout-minutes so a hung external-link crawl can't pin a runner.
- Use 'npm ci' (lockfile-exact, reproducible) instead of 'npm install'.
- Drop the redundant explicit 'bundle install' (ruby/setup-ruby already runs it
  via bundler-cache).
- Don't cancel in-progress runs on main so a deploy is never killed mid-flight;
  still supersede stale runs on other refs.
- Single-source the public Gist owner/id via workflow env (was duplicated 4x).
- Pass the Gist token to the verify step via env instead of inline in the URL.
- Fix shellcheck SC2034 (unused loop var) in the parallel test orchestration.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01A9nJYCSwtVUrxubiU4VAMN

Files changed (1)

.github/workflows/ci.yml +33 −45