Skip to content

ci: harden CI against api.github.com secondary rate-limits (zizmor advisories + agent-skills blob 403s)Β #514

Description

@devantler

πŸ€– Generated by the Daily AI Assistant

Problem

πŸ§ͺ CI on main goes red intermittently from GitHub API secondary rate-limits (HTTP 403) β€” not a code defect. Observed live on run 29030150199 (the docker/metadata-action bump, 2026-07-09 15:37Z), where the metadata bump itself was fine but many unrelated jobs failed on API 403s:

  • zizmor β€” known-vulnerable-actions audit failed: HTTP status client error (403 Forbidden) for url https://api.github.com/advisories?ecosystem=actions&affects=actions%2Fcheckout%40v6.0.2. This is despite GHA_ZIZMOR_TOKEN already being set, so it is a secondary rate-limit, not a missing-auth issue.
  • test-setup-agent-skills-* / test-update-agent-skills-* (ubuntu + macos) β€” gh skill install github/awesome-copilot … failed with HTTP 403: API rate limit exceeded for installation fetching skill blobs, exhausting all 3 built-in retry attempts (the rate-limit window outlasted 3Γ—10s backoff).
  • Knock-on: CI - Required Checks, and the Delete Workflow Runs test jobs.

Trigger pattern: Dependabot opens a burst of dep-bump PRs (5+ within a minute is normal here), each fanning out many parallel jobs that all hit api.github.com simultaneously β†’ the org/installation secondary rate-limit trips β†’ main's push-CI (and PR CI) goes red until the window resets.

This is the same class as the raw.githubusercontent.com 429 episodes already addressed for other consumers (#476 kubeconform cache, #483/#484 the TODOs workflow), but a different endpoint (api.github.com advisories + installation blob API) and different consumers (zizmor audit + agent-skills install) not covered by those fixes.

Proposed direction

Make the API-touching CI jobs resilient to secondary rate-limits rather than treating each recurrence as a transient to rerun by hand:

  1. agent-skills install jobs β€” widen the retry envelope beyond 3Γ—10s (e.g. exponential backoff honoring the Retry-After / X-RateLimit-Reset header, or a longer max wait), since the current window regularly outlasts it. Consider deduping the identical install across the matrix legs so the same blob isn't fetched NΓ— in parallel.
  2. zizmor known-vulnerable-actions β€” evaluate whether the advisories audit can be cached across jobs, gated to run once per workflow instead of per-fixture-job, or made non-fatal-on-403 (retry-then-skip with a warning) so a secondary rate-limit doesn't red the whole run.
  3. Optionally β€” a small shared "rate-limit-aware GitHub API fetch" step/action (retry + Retry-After respect) reused by both, mirroring the retry-wrap pattern from fix(create-issues-from-todos): retry-harden raw.githubusercontent.com fetchesΒ #484.

Root-cause, not a rerun button: the goal is that a Dependabot burst no longer reds main.

Rough size

S–M. Item 1 (retry envelope + matrix dedupe) is small and high-value; item 2 (zizmor caching/gating) is the medium part; item 3 is optional consolidation. Ship incrementally β€” the agent-skills backoff widening is the cheapest first slice.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions