Release · v2.17.2
Harden CI/CD and drop decorative graph jobs
ci: harden CI/CD and drop decorative graph jobs
Details
- Remove the no-op jobs (ci-start, python-done, supabase-done) that existed only to shape the Actions graph; real jobs now fan out in parallel directly. - Add a least-privilege top-level 'permissions: contents: read'; the deploy job keeps its own pages/id-token write scopes. - Add per-job timeout-minutes so a hung external-link crawl can't pin a runner. - Use 'npm ci' (lockfile-exact, reproducible) instead of 'npm install'. - Drop the redundant explicit 'bundle install' (ruby/setup-ruby already runs it via bundler-cache). - Don't cancel in-progress runs on main so a deploy is never killed mid-flight; still supersede stale runs on other refs. - Single-source the public Gist owner/id via workflow env (was duplicated 4x). - Pass the Gist token to the verify step via env instead of inline in the URL. - Fix shellcheck SC2034 (unused loop var) in the parallel test orchestration. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01A9nJYCSwtVUrxubiU4VAMN
Files changed (1)
| .github/workflows/ci.yml | +33 | −45 |