CodesWhat · scttbnsn · Jun 15, 2026 · Jun 15, 2026 · Jun 15, 2026 · Jun 15, 2026
@@ -568,16 +568,17 @@ jobs:
       - name: Wait for QA health
         run: |
           set -euo pipefail
-          for _ in $(seq 1 60); do
+          for _ in $(seq 1 90); do
             if curl -sf http://localhost:3333/health >/dev/null 2>&1; then
               echo "Drydock is healthy"
               exit 0
             fi
             sleep 2
           done
 
-          echo "Drydock failed to become healthy after 120 seconds."
+          echo "Drydock failed to become healthy after 180 seconds."
           docker compose -p drydock-zap -f test/qa-compose.yml ps
+          docker compose -p drydock-zap -f test/qa-compose.yml logs --no-color --tail=30
           exit 1
 
       - name: Create ZAP authenticated session
@@ -975,7 +976,12 @@ jobs:
           command: cd e2e && npm ci
 
       - name: Setup test containers
-        run: ./scripts/setup-test-containers.sh
+        uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60  # v4.0.0
+        with:
+          timeout_minutes: 10
+          max_attempts: 3
+          retry_wait_seconds: 10
+          command: ./scripts/setup-test-containers.sh
 
       - name: Start drydock
         id: drydock
@@ -987,7 +993,7 @@ jobs:
         # @requires_gitlab scenarios here to match, otherwise they fail looking
         # for a missing container. The token-gated local path that runs them
         # lives in scripts/run-e2e-tests.sh.
-        run: npm run cucumber -- --tags "not @requires_gitlab"
+        run: npm run cucumber -- --tags "not @requires_gitlab" --retry 1
         working-directory: e2e
         env:
           DD_PORT: ${{ steps.drydock.outputs.dd_port }}
@@ -1041,8 +1047,12 @@ jobs:
         uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5  # v4.1.0
 
       - name: Install e2e dependencies
-        run: npm ci
-        working-directory: e2e
+        uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60  # v4.0.0
+        with:
+          timeout_minutes: 5
+          max_attempts: 3
+          retry_wait_seconds: 30
+          command: cd e2e && npm ci
 
       - name: Run Artillery load test
         id: run-load-test-ci
@@ -1159,8 +1169,12 @@ jobs:
         uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5  # v4.1.0
 
       - name: Install e2e dependencies
-        run: npm ci
-        working-directory: e2e
+        uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60  # v4.0.0
+        with:
+          timeout_minutes: 5
+          max_attempts: 3
+          retry_wait_seconds: 30
+          command: cd e2e && npm ci
 
       - name: Run Artillery behavior test
         id: run-load-test-behavior

@@ -170,16 +170,17 @@ jobs:
       - name: Wait for QA health
         run: |
           set -euo pipefail
-          for _ in $(seq 1 60); do
+          for _ in $(seq 1 90); do
             if curl -sf http://localhost:3333/health >/dev/null 2>&1; then
               echo "Drydock QA is healthy"
               exit 0
             fi
             sleep 2
           done
 
-          echo "Drydock QA failed to become healthy after 120 seconds."
+          echo "Drydock QA failed to become healthy after 180 seconds."
           docker compose -p drydock-playwright -f test/qa-compose.yml ps
+          docker compose -p drydock-playwright -f test/qa-compose.yml logs --no-color --tail=30
           exit 1
 
       # Run npm ci + playwright test inside the official Playwright

@@ -90,11 +90,11 @@ jobs:
           github-token: ${{ github.token }}
           workflow-file: ${{ env.CI_VERIFY_WORKFLOW_FILE }}
           target-sha: ${{ steps.target.outputs.sha }}
-          # 60-min budget at 5-min cadence. CI Verify runs 20-30m typically;
+          # 90-min budget at 5-min cadence. CI Verify runs 20-30m typically;
           # pathological CodeQL/mutation overlap can push to ~60m. Polling
           # more often than every 5m is wasteful because CI jobs only change
           # state on completion, not mid-flight.
-          max-attempts: '12'
+          max-attempts: '18'
           sleep-seconds: '300'
 
       - name: Wait for successful E2E Playwright on target SHA
@@ -105,9 +105,9 @@ jobs:
           target-sha: ${{ steps.target.outputs.sha }}
           # Playwright moved to its own workflow so its failures don't
           # poison ci-verify's Check Suite for Scorecard. Releases still
-          # gate on it — runs ~10-15m typically, share the same 60-min
+          # gate on it — runs ~10-15m typically, share the same 90-min
           # budget shape.
-          max-attempts: '12'
+          max-attempts: '18'
           sleep-seconds: '300'
 
       - name: Resolve release tag from input

@@ -134,3 +134,11 @@ set.ignored = true
 [[triage]]
 match.rules = ["osv-scanner:CVE-2025-59472"]
 set.ignored = true
+
+# js-yaml@3.14.2 via artillery (e2e load-testing only). The only fix is js-yaml 4.2.0,
+# which removes safeLoad() that artillery@2.0.32 calls (artillery/lib/util.js) — a
+# breaking change. The DoS (quadratic merge-key parsing) is unreachable: artillery
+# parses only trusted, in-repo load-test configs. Test-only dep; not shipped.
+[[triage]]
+match.rules = ["osv-scanner:CVE-2026-53550"]
+set.ignored = true