From c0f3bd53001bc4eec0697baf9107a391de14ee1e Mon Sep 17 00:00:00 2001
From: Jon Gallant <2163001+jongio@users.noreply.github.com>
Date: Wed, 11 Mar 2026 21:58:23 -0700
Subject: [PATCH] ci: optimize GitHub Actions workflows

- Add path filters to CI, CodeQL, and Spell Check to reduce unnecessary runs (~40% fewer)
- Reduce publish schedule from daily to 3x/week
- Add concurrency groups
- Add job timeouts
- Remove single-entry matrix in CodeQL (hardcode language)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/ci.yml                | 17 +++++++++++++++++
 .github/workflows/codeql.yml            | 20 +++++++++++++-------
 .github/workflows/dependency-review.yml |  1 +
 .github/workflows/publish.yml           |  5 +++--
 .github/workflows/spellcheck.yml        | 13 +++++++++++++
 5 files changed, 47 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 2c37b2f..1f359a2 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,9 +4,25 @@ on:
   push:
     branches:
       - main
+    paths:
+      - 'src/**'
+      - 'scripts/**'
+      - 'package.json'
+      - 'pnpm-lock.yaml'
+      - '.github/workflows/ci.yml'
   pull_request:
     branches:
       - main
+    paths:
+      - 'src/**'
+      - 'scripts/**'
+      - 'package.json'
+      - 'pnpm-lock.yaml'
+      - '.github/workflows/ci.yml'
+
+concurrency:
+  group: ci-${{ github.ref }}
+  cancel-in-progress: true
 
 permissions:
   contents: read
@@ -15,6 +31,7 @@ permissions:
 jobs:
   build:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
       - uses: actions/checkout@v4
 
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 8b6b017..1805f6a 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -4,9 +4,19 @@ on:
   push:
     branches:
       - main
+    paths:
+      - 'src/**'
+      - 'scripts/**'
+      - 'package.json'
+      - '.github/workflows/codeql.yml'
   pull_request:
     branches:
       - main
+    paths:
+      - 'src/**'
+      - 'scripts/**'
+      - 'package.json'
+      - '.github/workflows/codeql.yml'
   schedule:
     - cron: '0 0 * * 1'
 
@@ -14,16 +24,12 @@ jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
+    timeout-minutes: 30
     permissions:
       actions: read
       contents: read
       security-events: write
 
-    strategy:
-      fail-fast: false
-      matrix:
-        language: ['javascript-typescript']
-
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -31,7 +37,7 @@ jobs:
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3
         with:
-          languages: ${{ matrix.language }}
+          languages: javascript-typescript
 
       - name: Autobuild
         uses: github/codeql-action/autobuild@v3
@@ -39,4 +45,4 @@ jobs:
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v3
         with:
-          category: '/language:${{matrix.language}}'
+          category: '/language:javascript-typescript'
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index f6bd396..331fb5c 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -7,6 +7,7 @@ permissions:
 jobs:
   dependency-review:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v4
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 10ecf71..cbd7ae4 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -2,7 +2,7 @@ name: Publish
 
 on:
   schedule:
-    - cron: '0 2 * * *'
+    - cron: '0 2 * * 1,3,5'
   workflow_dispatch:
   repository_dispatch:
     types: [extension-released, azd-web-core-updated]
@@ -15,11 +15,12 @@ permissions:
 
 concurrency:
   group: 'publish'
-  cancel-in-progress: false
+  cancel-in-progress: true
 
 jobs:
   publish:
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
diff --git a/.github/workflows/spellcheck.yml b/.github/workflows/spellcheck.yml
index 67dd4c6..2e479ba 100644
--- a/.github/workflows/spellcheck.yml
+++ b/.github/workflows/spellcheck.yml
@@ -4,9 +4,21 @@ on:
   push:
     branches:
       - main
+    paths:
+      - 'src/**'
+      - '**/*.md'
+      - 'package.json'
+      - '.cspell.json'
+      - '.github/workflows/spellcheck.yml'
   pull_request:
     branches:
       - main
+    paths:
+      - 'src/**'
+      - '**/*.md'
+      - 'package.json'
+      - '.cspell.json'
+      - '.github/workflows/spellcheck.yml'
 
 permissions:
   contents: read
@@ -14,6 +26,7 @@ permissions:
 jobs:
   spellcheck:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - uses: actions/checkout@v4