44725da08c
Analysis of Feb 17 data showed 400+ workflow runs/day consuming ~398 billable minutes (~200 hours/month projected). Implemented targeted optimizations: High-impact changes: - sec-audit.yml: add path filters (Cargo.toml, src/**, crates/**, deny.toml); skip docs-only PRs - test-benchmarks.yml: move from every-push-to-main to weekly schedule; retention 30d -> 7d - pub-docker-img.yml: tighten PR smoke build path filters to Docker-specific files only - sec-codeql.yml: reduce from twice-daily (14 runs/week) to weekly Medium-impact changes: - ci-run.yml: merge lint + lint-strict-delta into single job; drop --release from smoke build - feature-matrix.yml: remove push trigger (weekly-only); remove redundant cargo test step - dependabot.yml: monthly instead of weekly; reduce PR limits from 11 to 5/month; group all deps Runner cost savings: - Switch 6 lightweight API-only workflows to ubuntu-latest (PR Labeler, Intake, Auto Responder, Check Stale, Check Status, Sync Contributors) - pr-check-status.yml: reduce from every 12h to daily New files: - docs/ci-cost-optimization.md: comprehensive analysis and revised architecture documentation - scripts/ci/fetch_actions_data.py: reusable GitHub Actions cost analysis script Estimated impact: daily billable minutes ~400 -> ~120-150 (60-65%% reduction), monthly hours ~200 -> ~60-75, Dependabot PRs ~44/month -> ~5 (89%% reduction)
57 lines
1.5 KiB
YAML
57 lines
1.5 KiB
YAML
name: Sec Audit
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
paths:
|
|
- "Cargo.toml"
|
|
- "Cargo.lock"
|
|
- "src/**"
|
|
- "crates/**"
|
|
- "deny.toml"
|
|
pull_request:
|
|
branches: [main]
|
|
paths:
|
|
- "Cargo.toml"
|
|
- "Cargo.lock"
|
|
- "src/**"
|
|
- "crates/**"
|
|
- "deny.toml"
|
|
schedule:
|
|
- cron: "0 6 * * 1" # Weekly on Monday 6am UTC
|
|
|
|
concurrency:
|
|
group: security-${{ github.event.pull_request.number || github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
permissions:
|
|
contents: read
|
|
security-events: write
|
|
actions: read
|
|
checks: write
|
|
|
|
env:
|
|
CARGO_TERM_COLOR: always
|
|
|
|
jobs:
|
|
audit:
|
|
name: Security Audit
|
|
runs-on: blacksmith-2vcpu-ubuntu-2404
|
|
timeout-minutes: 20
|
|
steps:
|
|
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
|
|
|
|
- uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # v2.0.0
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
deny:
|
|
name: License & Supply Chain
|
|
runs-on: blacksmith-2vcpu-ubuntu-2404
|
|
timeout-minutes: 20
|
|
steps:
|
|
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
|
|
|
|
- uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 # v2
|
|
with:
|
|
command: check advisories licenses sources
|