chore: GitHub Actions workflow cleanup and hardening audit

[ggfevans]

Summary

Audit and simplify GitHub Actions workflows to reduce maintenance burden, remove fragile patterns, and improve release confidence.

Why

Current workflows have grown organically and now include duplicated logic, mixed trigger intent, and uneven hardening patterns. This increases CI time, operational risk, and review overhead.

Scope

• Inventory all workflows under .github/workflows/
• Identify duplication and opportunities for consolidation/reusable workflow extraction
• Validate trigger strategy (push, pull_request, tags, manual dispatch) against release flow
• Review security posture (permissions, secret usage, action pinning consistency)
• Review reliability (cache strategy, concurrency/cancellation, flaky/non-deterministic jobs)
• Review observability (artifact retention, failure diagnostics, actionable logs)

Acceptance Criteria

• Document current workflow map (purpose, trigger, dependencies)
• Produce prioritized findings with severity and remediation plan
• Propose concrete cleanup plan with phased rollout
• Include rollback/safety strategy for workflow changes
• Create follow-up implementation issues for approved cleanup actions

Deliverables

• Devil's-advocate workflow review report
• Actionable cleanup checklist
• Follow-up issues grouped by risk and effort

[ggfevans]

Devil's-advocate review findings (2026-02-19):

High risk

1. Core CI is not automatically triggered for PRs/pushes.

• .github/workflows/test.yml is only workflow_dispatch + workflow_call and is not called by any workflow.
• Risk: merges/releases can proceed without lint/unit/e2e gates.

2. Production deploy has a manual bypass path.

• .github/workflows/deploy-prod.yml allows workflow_dispatch and still publishes/deploys mutable tags (latest), with no explicit ref/tag guard.
• Risk: accidental untagged production deploy from manual dispatch.

Medium risk
3) Broad trust boundary for Claude automation.

• .github/workflows/claude.yml allows author_association == CONTRIBUTOR to trigger a job with write permissions.
• Risk: external contributor can invoke privileged automation.

4. Weekly code-health creates recurring issues with no dedupe/rollup.

• .github/workflows/code-health.yml opens a new issue on schedule each run.
• Risk: issue noise and maintainer fatigue.

5. Metrics workflow mutates main directly and ignores failures.

• .github/workflows/octocov.yml commits/pushes badge updates, continue-on-error: true.
• Risk: silent drift and hidden failures.

6. Import workflow shells unquoted user inputs into command flags.

• .github/workflows/import-netbox.yml constructs FLAGS from dispatch inputs without robust quoting.
• Risk: brittle execution / accidental shell interpretation.

Suggested first cleanup tranche

• Add a PR/push CI workflow (or wire test.yml into callers) and make it required.
• Restrict/guard deploy-prod.yml manual runs to tagged refs only.
• Tighten Claude trigger allowlist to OWNER/MEMBER/COLLABORATOR.
• Convert weekly metrics to one rolling issue or job summary artifact.
• Stop direct pushes from octocov (artifact or PR-based update).

[ggfevans]

Created focused child issues from the devil's-advocate review:\n\n## v0.9.0 (High-risk hardening)\n- [ ] #1278 — chore(ci): wire required PR/push validation workflow\n- [ ] #1279 — chore(release): harden deploy-prod trigger and tag/ref guards\n- [ ] #1280 — chore(security): tighten Claude workflow trust boundary and permissions\n\n## v0.10.0 (Follow-up cleanup)\n- [ ] #1281 — chore(metrics): replace weekly code-health issue spam with rolling reports\n- [ ] #1282 — chore(metrics): make Octocov publication non-mutating and failure-visible\n- [ ] #1283 — chore(import): harden NetBox import workflow input handling\n\nThese child issues are intended to be the implementation backlog for #1276.