feat: broaden pip cache keys to cover pyproject.toml and add caching to bandit workflow

[Copilot]

CI workflows were reinstalling Python dependencies from scratch on every run. sync.yml had partial caching (only keyed on requirements.txt); bandit.yml had none.

Changes

sync.yml

• Expanded cache-dependency-path from requirements.txt alone to both requirements.txt and pyproject.toml, so cache invalidation tracks the actual source of truth for dependencies

- name: Set up Python
  uses: actions/setup-python@v5
  with:
    python-version: '3.13'
    cache: 'pip'
    cache-dependency-path: |
      requirements.txt
      pyproject.toml

bandit.yml

• Added an explicit actions/cache@v4 step before the bandit scan, keyed on the same dual-file hash with an os-scoped restore-key fallback, so partial cache hits are used after dep updates

- name: Cache pip dependencies
  uses: actions/cache@v4
  with:
    path: ~/.cache/pip
    key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt', 'pyproject.toml') }}
    restore-keys: |
      ${{ runner.os }}-pip-

performance.yml was already covered via astral-sh/setup-uv@v4 with enable-cache: true and required no changes.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Code Quality] Add CI dependency caching to reduce workflow execution time</issue_title>
<issue_description>### Description

GitHub Actions workflows reinstall Python dependencies on every run, wasting time and bandwidth. Adding dependency caching can speed up CI execution by 40%+ according to the Performance Research plan.

Problem

From the Performance Research discussion (#219):

• No CI caching for Python dependencies
• Sequential dependency installation on every workflow run
• Wasted time downloading the same packages repeatedly

Suggested Changes

Add pip dependency caching to GitHub Actions workflows:

- name: Cache pip dependencies
  uses: actions/cache@v4
  with:
    path: ~/.cache/pip
    key: $\{\{ runner.os }}-pip-$\{\{ hashFiles('requirements.txt', 'pyproject.toml') }}
    restore-keys: |
      $\{\{ runner.os }}-pip-

Apply to workflows:

• .github/workflows/sync.yml
• .github/workflows/bandit.yml
• Any other workflows that install Python dependencies

Files Affected

• .github/workflows/sync.yml
• .github/workflows/bandit.yml
• Other Python-based workflow files

Success Criteria

• Pip cache action added to all Python workflows
• Cache key based on requirements.txt + pyproject.toml hashes
• Workflows show cache hit/miss in logs
• CI execution time reduced by 30-40% (measure before/after)
• All existing tests still pass

Priority

High - Quick win with measurable impact on development velocity

Effort Estimate

1-2 days (including testing and validation)

Source

Extracted from Daily Perf Improver discussion abhimehro/ctrld-sync#219

🔍 Task mining by Discussion Task Miner - Code Quality Improvement Agent

To install this workflow, run gh aw add github/gh-aw/.github/workflows/discussion-task-miner.md@94662b1dee8ce96c876ba9f33b3ab8be32de82a4. View source at https://github.com/github/gh-aw/tree/94662b1dee8ce96c876ba9f33b3ab8be32de82a4/.github/workflows/discussion-task-miner.md.

• expires on Feb 20, 2026, 9:12 AM UTC

Comments on the Issue (you are @copilot in this section)

Custom agent used: Development Partner
The Development Partner Protocol

• Fixes [Code Quality] Add CI dependency caching to reduce workflow execution time #372

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[trunk-io]

Merging to main in this repository is managed by Trunk.

• To merge this pull request, check the box to the left or comment /trunk merge below.

[github-actions]

👋 Development Partner is reviewing this PR. Will provide feedback shortly.

[Copilot]

Pull request overview

This PR adds pip dependency caching to CI workflows to reduce execution time by avoiding redundant package downloads. The caching strategy correctly includes both requirements.txt and pyproject.toml in cache keys, since pyproject.toml is the source of truth for dependencies.

Changes:

• Expanded sync.yml cache key from requirements.txt only to include both requirements.txt and pyproject.toml
• Added explicit pip caching to bandit.yml using actions/cache@v4 with the same dual-file hash strategy
• Updated comments in both workflows to document the caching approach

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
.github/workflows/sync.yml	Broadened cache-dependency-path to include both dependency files and updated comments
.github/workflows/bandit.yml	Added new pip cache step before the Bandit scan with dual-file hash keys