refactor: address PR review comments for scheduled sync workflow

This commit addresses all review comments from PR #10:

Code Quality Improvements:
- Remove redundant envPrefix: nil parameters across configuration keys
- Make environment ConfigKey optional with programmatic defaults
- Add concurrency strategy documentation to workflow files

Authentication Refactoring:
- Create CloudKitAuthMethod enum for type-safe auth (.pemString, .pemFile)
- Refactor SyncEngine to use auth enum instead of dual optional parameters
- Update all commands (Sync, Export, Clear, List, Status) to use new auth pattern

Multi-Environment Workflow Support:
- Create reusable composite action (.github/actions/cloudkit-sync/action.yml)
- Rename cloudkit-sync.yml → cloudkit-sync-dev.yml
- Add cloudkit-sync-prod.yml for production environment
- Separate dev/prod with independent secrets and triggers

Export Reporting Enhancements:
- Add JSON artifact export with full CloudKit data
- Generate Markdown summary with record counts and signing statistics
- Write to GitHub Actions summary page for rich formatted output

All changes verified with successful build (swift build).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: leogdion

.github/actions/cloudkit-sync/action.yml

@@ -0,0 +1,137 @@
+name: 'CloudKit Sync Action'
+description: 'Reusable action for syncing data to CloudKit with export reporting'
+
+inputs:
+  environment:
+    description: 'CloudKit environment (development or production)'
+    required: true
+  container-id:
+    description: 'CloudKit container ID'
+    required: true
+  cloudkit-key-id:
+    description: 'CloudKit S2S key ID'
+    required: true
+  cloudkit-private-key:
+    description: 'CloudKit S2S private key (PEM content)'
+    required: true
+  virtualbuddy-api-key:
+    description: 'VirtualBuddy TSS API key'
+    required: true
+  enable-export:
+    description: 'Run export after sync and generate reports'
+    required: false
+    default: 'true'
+
+runs:
+  using: "composite"
+  steps:
+    - name: Download latest built binary
+      uses: dawidd6/action-download-artifact@v3
+      with:
+        workflow: bushel-cloud-build.yml
+        workflow_conclusion: success
+        name: bushel-cloud-binary
+        path: ./binary
+
+    - name: Make binary executable
+      shell: bash
+      run: chmod +x ./binary/bushel-cloud
+
+    - name: Validate required secrets
+      shell: bash
+      env:
+        VIRTUALBUDDY_API_KEY: ${{ inputs.virtualbuddy-api-key }}
+      run: |
+        if [ -z "$VIRTUALBUDDY_API_KEY" ]; then
+          echo "❌ Error: VIRTUALBUDDY_API_KEY is not set"
+          echo "Please add VIRTUALBUDDY_API_KEY to repository secrets"
+          exit 1
+        fi
+        echo "✅ All required secrets are present"
+
+    - name: Run CloudKit sync
+      shell: bash
+      env:
+        CLOUDKIT_KEY_ID: ${{ inputs.cloudkit-key-id }}
+        CLOUDKIT_PRIVATE_KEY: ${{ inputs.cloudkit-private-key }}
+        CLOUDKIT_ENVIRONMENT: ${{ inputs.environment }}
+        CLOUDKIT_CONTAINER_ID: ${{ inputs.container-id }}
+        VIRTUALBUDDY_API_KEY: ${{ inputs.virtualbuddy-api-key }}
+      run: |
+        echo "Starting CloudKit sync..."
+        echo "Container: $CLOUDKIT_CONTAINER_ID"
+        echo "Environment: $CLOUDKIT_ENVIRONMENT"
+
+        ./binary/bushel-cloud sync \
+          --verbose \
+          --container-identifier "$CLOUDKIT_CONTAINER_ID"
+
+    - name: Run export and generate reports
+      if: inputs.enable-export == 'true'
+      shell: bash
+      env:
+        CLOUDKIT_KEY_ID: ${{ inputs.cloudkit-key-id }}
+        CLOUDKIT_PRIVATE_KEY: ${{ inputs.cloudkit-private-key }}
+        CLOUDKIT_ENVIRONMENT: ${{ inputs.environment }}
+        CLOUDKIT_CONTAINER_ID: ${{ inputs.container-id }}
+      run: |
+        echo "Exporting CloudKit data..."
+
+        # Export to JSON
+        ./binary/bushel-cloud export \
+          --output "cloudkit-export-${{ inputs.environment }}.json" \
+          --pretty \
+          --verbose \
+          --container-identifier "$CLOUDKIT_CONTAINER_ID"
+
+        # Parse JSON to extract counts
+        RESTORE_COUNT=$(jq '.restoreImages | length' "cloudkit-export-${{ inputs.environment }}.json")
+        XCODE_COUNT=$(jq '.xcodeVersions | length' "cloudkit-export-${{ inputs.environment }}.json")
+        SWIFT_COUNT=$(jq '.swiftVersions | length' "cloudkit-export-${{ inputs.environment }}.json")
+        TOTAL_COUNT=$((RESTORE_COUNT + XCODE_COUNT + SWIFT_COUNT))
+
+        # Count signed restore images
+        SIGNED_COUNT=$(jq '[.restoreImages[] | select(.fields.isSigned == "int64(1)")] | length' "cloudkit-export-${{ inputs.environment }}.json" || echo "0")
+
+        # Generate markdown summary
+        cat > export-summary.md <<EOF
+        # CloudKit Export Summary
+
+        **Environment**: \`${{ inputs.environment }}\`
+        **Container**: \`${{ inputs.container-id }}\`
+        **Export Date**: $(date -u +"%Y-%m-%d %H:%M:%S UTC")
+
+        ## Record Counts
+
+        | Record Type | Count |
+        |-------------|-------|
+        | Restore Images | ${RESTORE_COUNT} |
+        | Xcode Versions | ${XCODE_COUNT} |
+        | Swift Versions | ${SWIFT_COUNT} |
+        | **Total** | **${TOTAL_COUNT}** |
+
+        ## Restore Image Status
+
+        - **Signed**: ${SIGNED_COUNT} images currently signed by Apple
+        - **Unsigned**: $((RESTORE_COUNT - SIGNED_COUNT)) images no longer signed
+
+        ## Artifacts
+
+        - 📄 Full export data: \`cloudkit-export-${{ inputs.environment }}.json\`
+        - 📊 This summary: \`export-summary.md\`
+        EOF
+
+        # Append to GitHub Actions summary
+        cat export-summary.md >> $GITHUB_STEP_SUMMARY
+
+        echo "✅ Export complete with ${TOTAL_COUNT} total records"
+
+    - name: Upload export artifacts
+      if: inputs.enable-export == 'true'
+      uses: actions/upload-artifact@v4
+      with:
+        name: cloudkit-export-${{ inputs.environment }}
+        path: |
+          cloudkit-export-${{ inputs.environment }}.json
+          export-summary.md
+        retention-days: 30

.github/workflows/bushel-cloud-build.yml

@@ -14,6 +14,10 @@ on:
   pull_request:
 
 # Prevent concurrent builds
+# Why cancel-in-progress?
+# - Newer code changes supersede older builds
+# - Saves CI minutes by canceling outdated builds
+# - Each branch gets independent builds via ${{ github.ref }}
 concurrency:
   group: bushel-cloud-build-${{ github.ref }}
   cancel-in-progress: true

.github/workflows/cloudkit-sync-dev.yml

@@ -0,0 +1,53 @@
+name: Scheduled CloudKit Sync (Development)
+
+on:
+  # Run three times daily (every ~8 hours) with randomized minutes
+  # Staggered to avoid predictable patterns and align with VirtualBuddy TSS cache (12h)
+  schedule:
+    - cron: '17 2 * * *'   # 02:17 UTC
+    - cron: '43 10 * * *'  # 10:43 UTC
+    - cron: '29 18 * * *'  # 18:29 UTC
+
+  # Allow manual trigger for testing
+  workflow_dispatch:
+
+  # Run after successful build (for testing on feature branch)
+  workflow_run:
+    workflows: ["Build bushel-cloud Binary"]
+    types: [completed]
+    branches:
+      - 8-scheduled-job
+
+# Prevent concurrent sync runs
+# Why cancel-in-progress?
+# - Only latest sync matters (syncs are idempotent)
+# - Prevents race conditions when writing to CloudKit
+# - Saves resources by canceling redundant syncs
+concurrency:
+  group: cloudkit-sync-dev
+  cancel-in-progress: true
+
+jobs:
+  sync-dev:
+    name: Sync to CloudKit (Development)
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    # Only run if triggered by schedule/manual, OR if build workflow succeeded
+    if: github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success'
+
+    permissions:
+      contents: read  # Read repository code
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: CloudKit Sync
+        uses: ./.github/actions/cloudkit-sync
+        with:
+          environment: development
+          container-id: iCloud.com.brightdigit.Bushel
+          cloudkit-key-id: ${{ secrets.CLOUDKIT_KEY_ID }}
+          cloudkit-private-key: ${{ secrets.CLOUDKIT_PRIVATE_KEY }}
+          virtualbuddy-api-key: ${{ secrets.VIRTUALBUDDY_API_KEY }}
+          enable-export: 'true'

.github/workflows/cloudkit-sync-prod.yml

@@ -0,0 +1,43 @@
+name: Scheduled CloudKit Sync (Production)
+
+on:
+  # Manual trigger only for production
+  # Recommend running after testing in development
+  workflow_dispatch:
+
+  # Optional: Less frequent scheduled sync for production
+  # Uncomment to enable once production is ready
+  # schedule:
+  #   - cron: '0 6 * * *'  # Once daily at 6:00 UTC
+
+# Prevent concurrent sync runs
+# Why cancel-in-progress?
+# - Only latest sync matters (syncs are idempotent)
+# - Prevents race conditions when writing to CloudKit
+# - Saves resources by canceling redundant syncs
+concurrency:
+  group: cloudkit-sync-prod
+  cancel-in-progress: true
+
+jobs:
+  sync-prod:
+    name: Sync to CloudKit (Production)
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+
+    permissions:
+      contents: read  # Read repository code
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: CloudKit Sync
+        uses: ./.github/actions/cloudkit-sync
+        with:
+          environment: production
+          container-id: iCloud.com.brightdigit.Bushel
+          cloudkit-key-id: ${{ secrets.CLOUDKIT_KEY_ID_PROD }}
+          cloudkit-private-key: ${{ secrets.CLOUDKIT_PRIVATE_KEY_PROD }}
+          virtualbuddy-api-key: ${{ secrets.VIRTUALBUDDY_API_KEY }}
+          enable-export: 'true'

.github/workflows/cloudkit-sync.yml

@@ -59,11 +59,20 @@ enum ClearCommand {
       }
     }
 
+    // Determine authentication method
+    let authMethod: CloudKitAuthMethod
+    if let pemString = config.cloudKit.privateKey {
+      authMethod = .pemString(pemString)
+    } else {
+      authMethod = .pemFile(path: config.cloudKit.privateKeyPath)
+    }
+
     // Create sync engine
     let syncEngine = try SyncEngine(
       containerIdentifier: config.cloudKit.containerID,
       keyID: config.cloudKit.keyID,
-      privateKeyPath: config.cloudKit.privateKeyPath
+      authMethod: authMethod,
+      environment: config.cloudKit.environment
     )
 
     // Execute clear

Sources/BushelCloudCLI/Commands/ClearCommand.swift

@@ -42,11 +42,20 @@ enum ExportCommand {
     // Enable verbose console output if requested
     ConsoleOutput.isVerbose = config.export?.verbose ?? false
 
+    // Determine authentication method
+    let authMethod: CloudKitAuthMethod
+    if let pemString = config.cloudKit.privateKey {
+      authMethod = .pemString(pemString)
+    } else {
+      authMethod = .pemFile(path: config.cloudKit.privateKeyPath)
+    }
+
     // Create sync engine
     let syncEngine = try SyncEngine(
       containerIdentifier: config.cloudKit.containerID,
       keyID: config.cloudKit.keyID,
-      privateKeyPath: config.cloudKit.privateKeyPath
+      authMethod: authMethod,
+      environment: config.cloudKit.environment
     )
 
     // Execute export

Sources/BushelCloudCLI/Commands/ExportCommand.swift

@@ -40,11 +40,22 @@ enum ListCommand {
     let config = try rawConfig.validated()
 
     // Create CloudKit service
-    let cloudKitService = try BushelCloudKitService(
-      containerIdentifier: config.cloudKit.containerID,
-      keyID: config.cloudKit.keyID,
-      privateKeyPath: config.cloudKit.privateKeyPath
-    )
+    let cloudKitService: BushelCloudKitService
+    if let pemString = config.cloudKit.privateKey {
+      cloudKitService = try BushelCloudKitService(
+        containerIdentifier: config.cloudKit.containerID,
+        keyID: config.cloudKit.keyID,
+        pemString: pemString,
+        environment: config.cloudKit.environment
+      )
+    } else {
+      cloudKitService = try BushelCloudKitService(
+        containerIdentifier: config.cloudKit.containerID,
+        keyID: config.cloudKit.keyID,
+        privateKeyPath: config.cloudKit.privateKeyPath,
+        environment: config.cloudKit.environment
+      )
+    }
 
     // Determine what to list based on flags
     let listConfig = config.list