ci: reduce GitHub Actions consumption across CI workflows#11007
Merged
cesararroba merged 13 commits intomasterfrom May 5, 2026
Merged
ci: reduce GitHub Actions consumption across CI workflows#11007cesararroba merged 13 commits intomasterfrom
cesararroba merged 13 commits intomasterfrom
Conversation
Add a concurrency group to ui-e2e-tests-v2.yml so a new push to the same PR cancels any in-flight E2E run. UI E2E is the highest wall-clock workflow without cancel-in-progress today.
Add paths filters to the SDK, API, and UI test/quality/security workflows so PRs that don't touch each component's source tree no longer trigger them. Same paths applied to push and pull_request. Files: sdk-tests, sdk-code-quality, sdk-security, sdk-check-duplicate-test-names, api-tests, api-code-quality, api-security, ui-tests.
… cache mode=min Three co-located changes to sdk-/api-/ui-/mcp-container-checks.yml: - Add workflow-level paths filters (component source + workflow file + Dockerfiles where applicable) so unrelated PRs skip the workflow. - Drop the arm64 matrix leg on pull_request events; push and release events keep amd64+arm64. arm64 PR coverage is preserved by the new nightly arm64 build verification workflow (separate commit). - Switch buildx cache-to mode from 'max' to 'min' on pull_request events to reduce per-PR cache footprint and ease eviction pressure at the 10 GiB per-repo cache cap. Push/release keep mode=max.
Apply the same conditional cache-to mode pattern used in *-container-checks.yml for consistency. These workflows currently have no pull_request trigger, so the conditional resolves to 'max' on every existing event — behavioural no-op today, future-proof when/if PR triggers are added.
Schedule a nightly cron (04:00 UTC) plus workflow_dispatch that builds the sdk, api, ui, and mcp container images on ubuntu-24.04-arm runners. This restores the arm64 coverage that was dropped from PR-time matrix in *-container-checks.yml so arm64 regressions are caught within ~24h of merge. Notify on failure via existing Slack secrets. fail-fast: false so one component's failure does not mask the others. Cache scoped to arm64 with mode=min — does not interfere with PR/push caches.
Replace fetch-depth: 0 (full history clone) with fetch-depth: 1 in the PR conflict checker and the PR changelog/compliance-mapping checkers, then explicitly fetch the PR base ref so tj-actions/changed-files still resolves the diff range. These workflows only need the diff against the base branch, not the entire ~8k-commit history.
Reduce fetch-depth from 0 (full history) to 50 commits — TruffleHog needs the diff range, not the entire history. Then split the scan step into PR and push variants so each scans only its own delta: - PR: --since-commit $base.sha --branch $head.ref - Push: --since-commit $github.event.before, with a fallback to github.sha when event.before is the zero SHA (first push to a new branch).
… PyPI Two related fixes for the mcp-pypi-release HTTP 400 'file already exists' failures. Structural fix — new mcp-bump-version.yml: trigger on release.published. Resolves the target MCP version from mcp_server/CHANGELOG.md by matching '(Prowler v<release_tag>)' — the same regex prepare-release.yml uses for release notes. Skips when no MCP entry exists for the released Prowler version, and when pyproject.toml is already at the changelog version. Mirrors api-bump-version's master + version-branch PR pattern. Safety net — mcp-pypi-release.yml: pre-flight PyPI version check gates the build and publish steps. If the version in mcp_server/pyproject.toml already exists on PyPI, the workflow emits a ::notice:: and skips publish instead of failing the run. Covers releases with no MCP changes, unmerged bump PRs, and workflow_dispatch re-runs.
github-actions
Bot
added
the
github_actions
Contributor
|
✅ All necessary |
Contributor
|
✅ Conflict Markers Resolved All conflict markers have been successfully resolved in this pull request. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #11007 +/- ##
===========================================
+ Coverage 59.14% 93.65% +34.50%
===========================================
Files 8 230 +222
Lines 399 33936 +33537
===========================================
+ Hits 236 31782 +31546
- Misses 163 2154 +1991
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
Match the existing ignore pattern used by the other *-container-build-push workflows that legitimately need SLACK_BOT_TOKEN and SLACK_PLATFORM_DEPLOYMENTS without an environment scope.
This was referenced May 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
The org hit the 50,000 private-Actions-minutes monthly quota last cycle (~405% of quota at the 30-day mark).
prowleris a public repo (Actions free in this repo) but every workflow file here is auto-mirrored to the privateprowler-cloudrepo, where minutes are billed. Optimizations applied here therefore reduceprowler-cloudbillable consumption directly via the existing workflow-sync.This PR groups eight thematic CI changes that, together, are estimated to remove ~21–25k Actions minutes / 30 days at current PR cadence (per audit baseline; see "Description" for per-change figures).
Description
Eight commits, one per theme. Per-change estimates are conservative midpoints from the 30-day baseline (window 2026-04-05 → 2026-05-05).
ci(ui): cancel in-progress E2E runs on superseded PR pushes— addsconcurrency.cancel-in-progresstoui-e2e-tests-v2.yml. Estimated ~3,500 min/30d (was the highest-value missing-concurrency hit at 12,328 min/30d total).ci: add workflow-level paths filters to skip irrelevant PR runs— addspaths:filters underpush:andpull_request:for 8 SDK/API/UI test/quality/security workflows so PRs that don't touch each component skip them. Estimated ~6,000–7,000 min/30d combined.ci(container-checks): add paths filters, build amd64-only on PRs, use cache mode=min— three co-located changes to the four*-container-checks.ymlfiles. amd64-only on PRs alone saves ~3,000 min/30d on SDK and ~2,500 + ~1,800 min/30d on API/UI; paths filters and cache-mode change add ~1–2k more.ci(container-build-push): use cache mode=min on PR builds— same conditional-mode pattern on the four*-container-build-push.ymlfiles. Behavioural no-op today (no PR triggers) but kept for consistency and future-proofing. ~0 min/30d immediate; secondary cache-eviction relief.ci: add nightly arm64 container build verification— newnightly-arm64-container-builds.ymlthat builds sdk/api/ui/mcp onubuntu-24.04-armat 04:00 UTC + on demand. Restores arm64 coverage dropped from PR matrix in commit 3. Cost: ~120 min/30d total across 4 components.ci: shallow-clone PR helpers and fetch only the base ref—pr-conflict-checker.yml,pr-check-changelog.yml,pr-check-compliance-mapping.ymlswitch fromfetch-depth: 0(full ~8k-commit history) tofetch-depth: 1plus an explicit base-ref fetch. Estimated ~1,900 min/30d combined.ci(secrets): scan only the PR/push diff with TruffleHog—find-secrets.ymlreducesfetch-depth: 0 → 50and splits the scan step into PR (--since-commit base.sha) and push (--since-commit github.event.before) variants. Estimated ~1,000 min/30d.ci(mcp): bump version from changelog and skip republish if already on PyPI— addresses the chronicmcp-pypi-releaseHTTP 400 failures with both a structural fix (newmcp-bump-version.ymlreadsmcp_server/CHANGELOG.mdfor the target version) and a safety-net check (mcp-pypi-release.ymlskips publish when the version already exists on PyPI). Cost-neutral; reliability win.Updates after initial push
697d14214) —ci(container-checks): drop multi-arch matrix; arm64 covered by nightly. Removed thearchmatrix from the four*-container-checks.ymlfiles entirely (was already amd64-only on PRs after commit 3; arm64 on master pushes was redundant given the nightly cron from commit 5). Additional ~1,000 min/30d savings on master pushes.4043830ff) —ci: remove EOL v3 and v4.x release branch references. Thev3andv4.6release branches are EOL (last human commit ~13 months ago); removed dead trigger entries.03ff9cf26) —ci(mcp): drop bump-version workflow; pre-flight PyPI check is the safety net. Per user decision (Option C): dropped the newmcp-bump-version.ymlintroduced in commit 8. The pre-flight PyPI existence check inmcp-pypi-release.ymlis sufficient to prevent the recurring HTTP 400; MCP version stays manually bumped.8a6355b29) —ci(secrets): rely on TruffleHog action's built-in PR/push diff handling. Regression fix: the--since-commitflag added in commit 7 is duplicated by the TruffleHog action's own diff-range handling and broke the workflow. Reverted to letting the action handle the range.6d1380c87) —ci(zizmor): silence secrets-outside-env on nightly-arm64 builds. Addsnightly-arm64-container-builds.ymlto the existingsecrets-outside-envignore list in.github/zizmor.yml, matching the pattern already used by the other*-container-build-pushworkflows that legitimately needSLACK_BOT_TOKEN/SLACK_PLATFORM_DEPLOYMENTSwithout an environment scope.Commits 2 and 3 add
paths:filters to workflows that produce job names commonly enrolled as required status checks. If any of the following are required in branch protection, PRs that don't match the new path filters will leave their required check stuck inpendingand block merge.Workflows whose job names should be verified against branch-protection required-checks:
sdk-tests.yml—sdk-tests (3.10),sdk-tests (3.11),sdk-tests (3.12)sdk-code-quality.yml—sdk-code-qualitysdk-security.yml—sdk-security-scanssdk-check-duplicate-test-names.yml—check-duplicate-test-namesapi-tests.yml—api-testsapi-code-quality.yml—api-code-qualityapi-security.yml—api-security-scansui-tests.yml—ui-testssdk-container-checks.yml—sdk-dockerfile-lint,sdk-container-build-and-scanapi-container-checks.yml—api-dockerfile-lint,api-container-build-and-scanui-container-checks.yml—ui-dockerfile-lint,ui-container-build-and-scanmcp-container-checks.yml—mcp-dockerfile-lint,mcp-container-build-and-scanNote: commit 9 dropped the
archmatrix from the four*-container-checks.ymlfiles, so<workflow>-container-build-and-scanis now a single static job (no matrix suffix). The names listed above already reflect the post-commit-9 shape.If any are required, two mitigations are available:
paths:filter that always passes for the same job-name set.Steps to review
Review per commit:
d198da17a): single newconcurrency:block onui-e2e-tests-v2.yml. Confirm the group key resolves correctly acrosspull_requestandpushevents (pull_request.number || github.ref).beea27aa0): 8 files, onlypaths:additions under existingpush:/pull_request:triggers. Verify the path globs match each component's actual source tree.6c1828461): 4 files, three changes each (paths, matrix, cache-to). ThefromJSON()ternary onmatrix.includeis the load-bearing line — verify it parses correctly and that the push/release branch keeps both arches.211285b4c): 4 files, one-line conditional swap forcache-to. No-op today; sanity-check the conditional parses.2e2a82c7d): new workflow. Verify the schedule cron, the Slack notification block uses existing secrets, andfail-fast: falseis set.992a3dc5e): 3 files. Confirm the explicitgit fetch --depth=1 origin "${BASE_REF}"step runs beforetj-actions/changed-filesin each.58c34cf21): one file. Verify the PR scan usespull_request.base.shaand the push scan handles the zero-SHA fallback for first pushes. (Superseded by commit 12 — see Updates section.)0fbd45293): one new workflow + one modified. The newmcp-bump-version.ymlmirrors theapi-bump-version.ymlskeleton; verify the changelog regex matches the existing## [x.y.z] (Prowler v…)shape used inmcp_server/CHANGELOG.md. Themcp-pypi-release.ymlchange is a single pre-flightcurlblock + twoif:gates on Build/Publish. (Bump workflow removed by commit 11 — see Updates section.)All 23 modified/created workflows pass
actionlintandzizmor(the latter required twoenv:-routed shell expansions in the new bump workflow to silence template-injection findings — applied during this PR).Checklist
Community Checklist
SDK/CLI
UI
API
License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.