feat: pin CI cache keys to dependency file hashes

[Copilot]

CI caches lacked dependency file bindings, meaning cache keys weren't invalidated when dependencies changed and cache hits weren't reliably triggered.

Changes

• daily-perf-improver/build-steps/action.yml — added cache-dependency-path: 'requirements.txt' to the existing cache: 'pip' setup, tying the pip cache key to the requirements.txt hash
• performance.yml — added cache-dependency-glob: "uv.lock" to astral-sh/setup-uv@v4, tying the uv cache key to the lock file hash

# pip-based workflows
- uses: actions/setup-python@v5
  with:
    cache: 'pip'
    cache-dependency-path: 'requirements.txt'

# uv-based workflows
- uses: astral-sh/setup-uv@v4
  with:
    enable-cache: true
    cache-dependency-glob: "uv.lock"

sync.yml already had correct caching configured. bandit.yml delegates to a third-party composite action with no direct pip install step.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Code Quality] Add CI dependency caching to reduce workflow execution time</issue_title>
<issue_description>### Description

GitHub Actions workflows reinstall Python dependencies on every run, wasting time and bandwidth. Adding dependency caching can speed up CI execution by 40%+ according to the Performance Research plan.

Problem

From the Performance Research discussion (#219):

• No CI caching for Python dependencies
• Every workflow run downloads and installs packages from scratch
• Identified as high-priority, low-hanging fruit optimization
• Target: Speed up test execution by 40%

Current State

Workflows like sync.yml, bandit.yml install dependencies without caching:

- name: Install dependencies
  run: pip install -r requirements.txt

Suggested Changes

1. Add pip cache to workflows:

   - name: Setup Python
     uses: actions/setup-python@v5
     with:
       python-version: '3.13'
       cache: 'pip'
       cache-dependency-path: requirements.txt

2. For uv-based workflows, use uv's cache action:

   - name: Setup uv
     uses: astral-sh/setup-uv@v4
     with:
       enable-cache: true
       cache-dependency-glob: "uv.lock"

3. Apply to all workflows that install dependencies:

   • .github/workflows/sync.yml
   • .github/workflows/bandit.yml
   • Custom actions in .github/actions/*/action.yml

Files Affected

• .github/workflows/sync.yml (add cache configuration)
• .github/workflows/bandit.yml (add cache configuration)
• .github/actions/daily-qa/build-steps/action.yml (add cache)
• .github/actions/daily-perf-improver/build-steps/action.yml (add cache)

Success Criteria

• ✅ Dependency installation time reduced by 30-50% on cache hits
• ✅ Cache invalidates correctly when dependencies change
• ✅ All workflows using pip or uv have caching enabled
• ✅ Workflow execution time measurements show improvement

Priority

High - Low effort, high impact optimization (identified as week 1 priority)

Effort Estimate

20 minutes (add cache configuration to 3-4 workflow files)

Implementation Notes

• Use cache: 'pip' for pip-based workflows (setup-python action)
• Use enable-cache: true for uv-based workflows (setup-uv action)
• Cache key should include dependency file hash (automatic with cache-dependency-path)
• Monitor cache hit rate in Actions tab after implementation

Source

Extracted from Daily Perf Improver discussion abhimehro/ctrld-sync#219 - High Priority Week 1-2 optimization

🔍 Task mining by Discussion Task Miner - Code Quality Improvement Agent

To install this workflow, run gh aw add github/gh-aw/.github/workflows/discussion-task-miner.md@94662b1dee8ce96c876ba9f33b3ab8be32de82a4. View source at https://github.com/github/gh-aw/tree/94662b1dee8ce96c876ba9f33b3ab8be32de82a4/.github/workflows/discussion-task-miner.md.

• expires on Feb 20, 2026, 5:44 AM UTC

Comments on the Issue (you are @copilot in this section)

Custom agent used: Development Partner
The Development Partner Protocol

• Fixes [Code Quality] Add CI dependency caching to reduce workflow execution time #368

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[trunk-io]

Merging to main in this repository is managed by Trunk.

• To merge this pull request, check the box to the left or comment /trunk merge below.

[github-actions]

👋 Development Partner is reviewing this PR. Will provide feedback shortly.

[Copilot]

Pull request overview

This PR adds dependency file hash bindings to CI cache configurations, ensuring cache keys are properly invalidated when dependencies change and cache hits are reliably triggered.

Changes:

• Added cache-dependency-glob: "uv.lock" to the uv-based performance testing workflow
• Added cache-dependency-path: 'requirements.txt' to the pip-based daily performance improver build action

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
.github/workflows/performance.yml	Binds uv cache key to uv.lock hash for the benchmark job
.github/actions/daily-perf-improver/build-steps/action.yml	Binds pip cache key to requirements.txt hash for build steps