Cap skill turns/timeout + sync local HEAD after skill pushes

[rdimitrov]

Three defensive additions driven by findings from PR #780's e2e test run.

1. Sync local HEAD after skill pushes (fixes two bugs)

Root cause: `claude-code-action` works in a sibling scratch checkout (the `.claude-pr/` dir we gitignore) and pushes its commits to origin without advancing the outer workflow checkout's HEAD. Every subsequent step that reads local git state saw stale HEAD.

Symptoms on PR #780's run (run 24769641826):

• `skill_commits` reported 0 despite commit `d4b3c7c` existing on the PR branch → triggered the silent-run `[!NOTE]` on a run that produced real content.
• `autofix` early-exited with "No skill-touched files in scope" because its `git diff BASELINE_SHA..HEAD` returned nothing → 41 unformatted files landed on CI and failed the Lint and format checks job.

Fix: new step between `skill_review` and `skill_commits`:

```yaml

• name: Sync local branch with skill-pushed commits
  run: |
  git fetch origin "$HEAD_REF" --quiet
  git merge --ff-only "origin/$HEAD_REF" || true
  ```

Local HEAD now reflects whatever the skill pushed, so downstream steps see the truth. Fixes both symptoms with one change.

2. `--max-turns` per skill invocation

Session	Cap	Baseline	Rationale
`skill_gen`	500	89 (silent) / 397 (full rebuild)	~25% headroom over worst legitimate run
`skill_review`	30	4-5 every run	6x buffer; cheap safety net

Hitting a cap fails the step loudly. If a release genuinely needs more, we raise deliberately.

3. `timeout-minutes` per skill step

Session	Cap	Baseline
`skill_gen`	45 min	15-22 min observed
`skill_review`	10 min	1-2 min observed

Kills a stuck process before it burns the full 90-min job budget. Step-level, independent of turn count.

Worst-case cost ceiling once capped

• Gen hits 500 turns → ~$34 (extrapolating from PR Update toolhive to v0.23.1 (manual dispatch) #780's $26.95 at 397 turns)
• Review hits 30 turns → ~$2
• Per-run ceiling: ~$36

What this does NOT cover

• Legitimate expensive runs (PR Update toolhive to v0.23.1 (manual dispatch) #780 at $27 was real work; would still cost $27).
• Upstream Anthropic pricing changes.
• High-frequency triggering (e.g. 20 retries in a row).

For those, set a monthly spend cap at the Anthropic console — that's the ultimate ceiling independent of any workflow change.

Validation

Next `workflow_dispatch` on rolled-back content should produce:

• `skill_commits` count matching the actual skill commit count (non-zero when content was produced).
• Autofix step finding and formatting skill-touched files before they hit CI.
• No silent-run NOTE when commits exist.
• If a runaway ever occurs, clean failure at cap with a clear error message instead of an unbounded spend.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs-website	Ready	Preview, Comment	Apr 22, 2026 10:22am

[Copilot]

Pull request overview

Adds defensive safeguards to the upstream-release-docs GitHub Actions workflow to prevent runaway Claude sessions and to ensure downstream steps operate on the updated branch tip after the skill pushes commits.

Changes:

• Add per-step timeout-minutes for skill_gen and skill_review.
• Add --max-turns caps for skill_gen and skill_review invocations.
• Sync the workflow checkout’s local HEAD with the remote PR branch after the skill runs/pushes commits.