From adef02dd3e2d1554b7c1399b4666b7c3c2fbd927 Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Mon, 18 May 2026 10:26:08 +0100 Subject: [PATCH] harden(ci): concurrency-cancel guard on canonical check workflows Redistributes the merged hyperpolymath/standards#122 canonical fix: adds concurrency{cancel-in-progress:true} to read-only check workflows (and scopes affinescript-verify push to [main,master]) so re-pushes / rebased PRs do not pile up queued runs against the shared account-wide Actions concurrency pool. Read-only checks only; zero coverage lost. Files: scorecard.yml governance.yml codeql.yml secret-scanner.yml Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/codeql.yml | 8 ++++++++ .github/workflows/governance.yml | 8 ++++++++ .github/workflows/scorecard.yml | 8 ++++++++ .github/workflows/secret-scanner.yml | 10 +++++++++- 4 files changed, 33 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 064beb04..8b349e88 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -9,6 +9,14 @@ on: schedule: - cron: '0 6 * * 1' +# Estate guardrail: cancel superseded runs so re-pushes / rebased PR +# updates do not pile up queued runs against the shared account-wide +# Actions concurrency pool. Applied only to read-only check workflows +# (no publish/mutation), so cancelling a superseded run is always safe. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + permissions: contents: read diff --git a/.github/workflows/governance.yml b/.github/workflows/governance.yml index 76bd1a0e..4bb50e9a 100644 --- a/.github/workflows/governance.yml +++ b/.github/workflows/governance.yml @@ -18,6 +18,14 @@ on: pull_request: workflow_dispatch: +# Estate guardrail: cancel superseded runs so re-pushes / rebased PR +# updates do not pile up queued runs against the shared account-wide +# Actions concurrency pool. Applied only to read-only check workflows +# (no publish/mutation), so cancelling a superseded run is always safe. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + permissions: contents: read diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 8a8fe3e6..cae8883b 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -13,6 +13,14 @@ on: - cron: 0 6 * * 1 workflow_dispatch: null +# Estate guardrail: cancel superseded runs so re-pushes / rebased PR +# updates do not pile up queued runs against the shared account-wide +# Actions concurrency pool. Applied only to read-only check workflows +# (no publish/mutation), so cancelling a superseded run is always safe. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + permissions: read-all jobs: diff --git a/.github/workflows/secret-scanner.yml b/.github/workflows/secret-scanner.yml index e9a2ac01..f2e87e72 100644 --- a/.github/workflows/secret-scanner.yml +++ b/.github/workflows/secret-scanner.yml @@ -7,6 +7,14 @@ on: push: branches: [main] +# Estate guardrail: cancel superseded runs so re-pushes / rebased PR +# updates do not pile up queued runs against the shared account-wide +# Actions concurrency pool. Applied only to read-only check workflows +# (no publish/mutation), so cancelling a superseded run is always safe. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + permissions: contents: read @@ -66,4 +74,4 @@ jobs: if [ $found -eq 1 ]; then echo "::error::Potential hardcoded secrets detected. Use environment variables instead." exit 1 - fi \ No newline at end of file + fi