feat(ci): add limit-aware actions bootstrap for new projects

[LucasSantana-Dev]

Summary

• add limit-aware workflow templates for node, nextjs, and python project bootstraps
• split CI policy into baseline required checks and heavy non-required checks gated by budget degrade mode
• add nightly security workflows that run heavy scans regardless of PR degrade mode
• add scripts/bootstrap/actions-org-setup.sh to validate org settings, query usage, and upsert Actions budget variables
• update scripts/bootstrap/project.sh to default to --ci-profile=limit-aware and require --org + --actions-cap-minutes
• refresh docs (organization-setup, new actions-limits-strategy) and README/CHANGELOG

Validation

• bash -n scripts/bootstrap/project.sh
• bash -n scripts/bootstrap/actions-org-setup.sh
• shellcheck scripts/bootstrap/project.sh scripts/bootstrap/actions-org-setup.sh
• template YAML parse check (all *.yml.tpl)
• bootstrap smoke for node, nextjs, python with generated workflow assertions
• npm run lint
• npm run build
• npm test

Summary by CodeRabbit

• New Features

  • Added limit-aware CI workflow templates for Node.js, Next.js, and Python projects that degrade resource-intensive jobs when GitHub Actions budgets are exceeded.
  • Added automated organization setup script to configure GitHub Actions budget variables and thresholds.
  • Added nightly security scan workflow templates.

• Documentation

  • Added GitHub Actions limits strategy guide.
  • Updated organization setup guide with streamlined bootstrap approach.
  • Updated README with new bootstrap-based project creation workflow.

• Changed

  • Bootstrap now defaults to limit-aware CI profile, requiring organization and actions budget parameters.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

This PR introduces a comprehensive GitHub Actions budget management framework for organizations and projects. It adds organization-level setup scripts, project bootstrap enhancements with limit-aware CI templates, and documentation on implementing Actions spending controls through configurable caps, warning thresholds, and degradation modes for non-critical jobs.

Changes

Cohort / File(s)	Summary
Documentation and Guides README.md, CHANGELOG.md, docs/guides/actions-limits-strategy.md, docs/guides/organization-setup.md	Updated README and CHANGELOG to reflect limit-aware approach and bootstrap tooling; introduced new guides for Actions limits strategy and organization setup with focus on canonical workflow source and budget controls.
Organization Setup Bootstrap scripts/bootstrap/actions-org-setup.sh	New Bash script that configures GitHub org-level Actions budget variables (monthly cap, warn percentage, degrade percentage) via GitHub CLI, with validation, dry-run support, and per-repository variable upsert capability.
Project Bootstrap Enhancement scripts/bootstrap/project.sh	Updated project scaffolding script to support limit-aware CI profile, generate limit-aware workflows from templates, validate budget parameters, and set up projects with bootstrap-driven CI defaults.
CI Workflow Templates (Limit-Aware) scripts/bootstrap/templates/workflows/limit-aware/ci-node.yml.tpl, ci-nextjs.yml.tpl, ci-python.yml.tpl	Three new CI workflow templates with baseline always-run jobs (lint, typecheck, unit-tests, build), heavy conditional jobs (Docker, E2E, security scans) guarded by budget-aware degrade mode, and budget-summary aggregation.
Security Nightly Workflow Templates scripts/bootstrap/templates/workflows/limit-aware/security-nightly-node.yml.tpl, security-nightly-nextjs.yml.tpl, security-nightly-python.yml.tpl	Three new security-nightly workflow templates that run scheduled scans (Semgrep, Trivy, CodeQL) independent of Actions budget constraints.

Sequence Diagram(s)

sequenceDiagram
    actor Admin
    participant OrgSetup as actions-org-setup.sh
    participant GitHubAPI as GitHub API
    participant Project as project.sh
    participant ProjectRepo as Project Repository
    participant Workflow as GitHub Workflow (CI)
    participant BudgetGuard as Budget Guard

    Admin->>OrgSetup: --org MYORG --actions-cap-minutes 1000 ...
    OrgSetup->>GitHubAPI: Validate auth & permissions
    OrgSetup->>GitHubAPI: Query current Actions usage
    OrgSetup->>GitHubAPI: Upsert ACTIONS_MONTHLY_CAP_MINUTES
    OrgSetup->>GitHubAPI: Upsert ACTIONS_WARN_PCT
    OrgSetup->>GitHubAPI: Upsert ACTIONS_DEGRADE_PCT
    OrgSetup-->>Admin: ✓ Org configured

    Admin->>Project: --project-name my-app --ci-profile limit-aware --org MYORG ...
    Project->>ProjectRepo: Create project structure
    Project->>ProjectRepo: Generate .github/workflows/ci.yml from template
    Project->>ProjectRepo: Generate .github/workflows/security-nightly.yml
    Project->>ProjectRepo: Render org/cap/warn/degrade into workflow files
    Project-->>Admin: ✓ Project bootstrapped

    Admin->>ProjectRepo: Push to GitHub
    ProjectRepo->>Workflow: Trigger on push/PR
    Workflow->>BudgetGuard: Check ACTIONS_MONTHLY_CAP_MINUTES usage
    alt Within Budget
        BudgetGuard-->>Workflow: degrade_mode=false
        Workflow->>Workflow: Run all jobs (baseline + heavy)
    else Approaching Limit
        BudgetGuard-->>Workflow: degrade_mode=true, warn=true
        Workflow->>Workflow: Run baseline only, skip heavy jobs
        Workflow->>Workflow: Append warning to summary
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~75 minutes

Poem

🐰 Hops through Actions with delight,
Budget guards keep spending tight,
Templates render, baselines run,
Heavy jobs? Degrade for fun!
From org setup to project seed,
Limits guide the workflow feed. 🌿

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the primary change: adding limit-aware Actions bootstrap scaffolding for new projects, which is the core focus of all modified files and objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/limit-aware-bootstrap-actions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Project Scorecard

Scorecard: 84/100 (B)
────────────────────────────────────────
  security: 100/100 (A)
  quality: 80/100 (B) — 1 violations
  performance: 67/100 (D) — 1 violations
  compliance: 75/100 (C) — 1 violations
  dependency: 100/100 (A)

Recommendations:
  - Increase test coverage to meet the 80% threshold
  - Extend log retention to at least 90 days for compliance

[sonarqubecloud]

Quality Gate passed

Issues
46 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud