[ci-coach] ci: pin codecov action to SHA and add timeout to PR title validation #187
Description
Summary
Two targeted CI hardening improvements identified during CI optimization analysis (Run #10): pin a third-party action to a commit SHA for supply-chain security, and add a missing timeout to prevent stuck validation jobs.
Optimizations
1. Pin codecov/codecov-action to commit SHA
Type: Security / Stability
Impact: Eliminates risk of silent supply-chain attack via floating @v5 tag
Risk: Low — pinned to the current latest release (v5.5.2)
Changes:
ci.yml: replacedcodecov/codecov-action@v5withcodecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
Rationale: All other third-party actions in this repository are already pinned to commit SHAs (e.g. actions/checkout, actions/setup-node, amannn/action-semantic-pull-request). A floating @v5 tag on the Codecov action is the only exception and is inconsistent with the existing security posture. If the v5 tag were ever force-pushed to a malicious commit, it would execute in a privileged CI context with access to CODECOV_TOKEN.
2. Add timeout-minutes: 5 to validate_pr_title job
Type: Resource / Robustness
Impact: Prevents stuck validation jobs from consuming runner minutes indefinitely
Risk: Low — the job typically completes in under 30 seconds; 5 minutes is generous
Changes:
validate_pr_title.yml: addedtimeout-minutes: 5to themainjob
Rationale: Every other job in the repository already defines an explicit timeout (build: 15 min, release-please: 5 min, release: 20 min). The validate_pr_title job was the sole exception. Without a timeout, a transient hang in the GitHub API or the amannn/action-semantic-pull-request action would consume a runner indefinitely and block the PR from merging.
What was analyzed (and not changed)
The following were reviewed and found to be already well-optimized:
| Area | Finding |
|---|---|
| Path filtering | ✅ Applied to both push and pull_request triggers in ci.yml |
| Dependency caching | ✅ cache: 'npm' in setup-node on all jobs that run npm ci |
| Concurrency groups | ✅ cancel-in-progress: true configured in ci.yml |
| Job parallelization | ✅ Matrix across 3 OS runs concurrently; lint runs only once (Linux) |
| OS-conditional steps | ✅ Coverage/lint skipped on Windows/macOS to avoid duplication |
| Other action SHA pins | ✅ All other actions already pinned to commit SHAs |
Expected Impact
- Security: Eliminates one unpinned third-party action execution vector
- Cost: Prevents unbounded runner-minute consumption on stuck validation jobs
- Risk Level: Low — changes are additive/constrictive only
Testing Recommendations
- Review workflow YAML syntax
- Confirm Codecov uploads still succeed on the next CI run
- Verify PR title validation completes within the 5-minute window
Generated by CI Optimization Coach · ◷
To install this agentic workflow, run
gh aw add githubnext/agentics/workflows/ci-coach.md@b466f28f0f65b68d6f2b10b15b44f51d787b93be
- expires on Mar 9, 2026, 1:11 PM UTC
Note
This was originally intended as a pull request, but the git push operation failed.
Workflow Run: View run details and download patch artifact
The patch file is available in the agent-artifacts artifact in the workflow run linked above.
To create a pull request with the changes:
# Download the artifact from the workflow run
gh run download 22799597146 -n agent-artifacts -D /tmp/agent-artifacts-22799597146
# Create a new branch
git checkout -b ci/optimization-run-10-4fb9504521583e19
# Apply the patch (--3way handles cross-repo patches where files may already exist)
git am --3way /tmp/agent-artifacts-22799597146/aw-ci-optimization-run-10.patch
# Push the branch to origin
git push origin ci/optimization-run-10-4fb9504521583e19
# Create the pull request
gh pr create --title '[ci-coach] ci: pin codecov action to SHA and add timeout to PR title validation' --base main --head ci/optimization-run-10-4fb9504521583e19 --repo askpt/code-metricsShow patch (45 lines)
From c17f7a243bd03f754d7b3974cb0bc123d532253c Mon Sep 17 00:00:00 2001
From: GitHub Copilot <copilot@github.com>
Date: Sat, 7 Mar 2026 13:09:29 +0000
Subject: [PATCH] ci: pin codecov action to SHA and add timeout to PR title
validation
- Pin codecov/codecov-action from floating @v5 tag to commit SHA
671740ac38dd9b0130fbe1cec585b89eea48d3de (v5.5.2) for supply chain security
- Add timeout-minutes: 5 to validate_pr_title job to prevent stuck runs
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
.github/workflows/ci.yml | 2 +-
.github/workflows/validate_pr_title.yml | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c42b81a..37132bf 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -55,7 +55,7 @@ jobs:
if: runner.os != 'Linux'
- name: Upload coverage to Codecov
if: runner.os == 'Linux'
- uses: codecov/codecov-action@v5
+ uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
with:
directory: ./coverage
fail_ci_if_error: false
diff --git a/.github/workflows/validate_pr_title.yml b/.github/workflows/validate_pr_title.yml
index 9abe214..6b37e3b 100644
--- a/.github/workflows/validate_pr_title.yml
+++ b/.github/workflows/validate_pr_title.yml
@@ -11,6 +11,7 @@ jobs:
main:
name: Validate PR title
runs-on: ubuntu-latest
+ timeout-minutes: 5
permissions:
contents: read
pull-requests: write
--
2.53.0