You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
π§ͺ CI on main goes red intermittently from GitHub API secondary rate-limits (HTTP 403) β not a code defect. Observed live on run 29030150199 (the docker/metadata-action bump, 2026-07-09 15:37Z), where the metadata bump itself was fine but many unrelated jobs failed on API 403s:
zizmor β known-vulnerable-actions audit failed: HTTP status client error (403 Forbidden) for url https://api.github.com/advisories?ecosystem=actions&affects=actions%2Fcheckout%40v6.0.2. This is despite GHA_ZIZMOR_TOKEN already being set, so it is a secondary rate-limit, not a missing-auth issue.
test-setup-agent-skills-* / test-update-agent-skills-* (ubuntu + macos) β gh skill install github/awesome-copilot β¦ failed with HTTP 403: API rate limit exceeded for installation fetching skill blobs, exhausting all 3 built-in retry attempts (the rate-limit window outlasted 3Γ10s backoff).
Knock-on: CI - Required Checks, and the Delete Workflow Runs test jobs.
Trigger pattern: Dependabot opens a burst of dep-bump PRs (5+ within a minute is normal here), each fanning out many parallel jobs that all hit api.github.com simultaneously β the org/installation secondary rate-limit trips β main's push-CI (and PR CI) goes red until the window resets.
This is the same class as the raw.githubusercontent.com 429 episodes already addressed for other consumers (#476 kubeconform cache, #483/#484 the TODOs workflow), but a different endpoint (api.github.com advisories + installation blob API) and different consumers (zizmor audit + agent-skills install) not covered by those fixes.
Proposed direction
Make the API-touching CI jobs resilient to secondary rate-limits rather than treating each recurrence as a transient to rerun by hand:
agent-skills install jobs β widen the retry envelope beyond 3Γ10s (e.g. exponential backoff honoring the Retry-After / X-RateLimit-Reset header, or a longer max wait), since the current window regularly outlasts it. Consider deduping the identical install across the matrix legs so the same blob isn't fetched NΓ in parallel.
zizmor known-vulnerable-actions β evaluate whether the advisories audit can be cached across jobs, gated to run once per workflow instead of per-fixture-job, or made non-fatal-on-403 (retry-then-skip with a warning) so a secondary rate-limit doesn't red the whole run.
Root-cause, not a rerun button: the goal is that a Dependabot burst no longer reds main.
Rough size
SβM. Item 1 (retry envelope + matrix dedupe) is small and high-value; item 2 (zizmor caching/gating) is the medium part; item 3 is optional consolidation. Ship incrementally β the agent-skills backoff widening is the cheapest first slice.
Problem
π§ͺ CIonmaingoes red intermittently from GitHub API secondary rate-limits (HTTP 403) β not a code defect. Observed live on run 29030150199 (thedocker/metadata-actionbump, 2026-07-09 15:37Z), where the metadata bump itself was fine but many unrelated jobs failed on API 403s:zizmorβknown-vulnerable-actionsaudit failed:HTTP status client error (403 Forbidden) for url https://api.github.com/advisories?ecosystem=actions&affects=actions%2Fcheckout%40v6.0.2. This is despiteGHA_ZIZMOR_TOKENalready being set, so it is a secondary rate-limit, not a missing-auth issue.test-setup-agent-skills-*/test-update-agent-skills-*(ubuntu + macos) βgh skill install github/awesome-copilot β¦failed withHTTP 403: API rate limit exceeded for installationfetching skill blobs, exhausting all 3 built-in retry attempts (the rate-limit window outlasted 3Γ10s backoff).CI - Required Checks, and theDelete Workflow Runstest jobs.Trigger pattern: Dependabot opens a burst of dep-bump PRs (5+ within a minute is normal here), each fanning out many parallel jobs that all hit
api.github.comsimultaneously β the org/installation secondary rate-limit trips βmain's push-CI (and PR CI) goes red until the window resets.This is the same class as the
raw.githubusercontent.com429 episodes already addressed for other consumers (#476 kubeconform cache, #483/#484 the TODOs workflow), but a different endpoint (api.github.comadvisories + installation blob API) and different consumers (zizmor audit + agent-skills install) not covered by those fixes.Proposed direction
Make the API-touching CI jobs resilient to secondary rate-limits rather than treating each recurrence as a transient to rerun by hand:
Retry-After/X-RateLimit-Resetheader, or a longer max wait), since the current window regularly outlasts it. Consider deduping the identical install across the matrix legs so the same blob isn't fetched NΓ in parallel.known-vulnerable-actionsβ evaluate whether the advisories audit can be cached across jobs, gated to run once per workflow instead of per-fixture-job, or made non-fatal-on-403 (retry-then-skip with a warning) so a secondary rate-limit doesn't red the whole run.Retry-Afterrespect) reused by both, mirroring the retry-wrap pattern from fix(create-issues-from-todos): retry-harden raw.githubusercontent.com fetchesΒ #484.Root-cause, not a rerun button: the goal is that a Dependabot burst no longer reds
main.Rough size
SβM. Item 1 (retry envelope + matrix dedupe) is small and high-value; item 2 (zizmor caching/gating) is the medium part; item 3 is optional consolidation. Ship incrementally β the agent-skills backoff widening is the cheapest first slice.