From 85dad7c7a25d8943cdf2895a9209ceaeca6293d9 Mon Sep 17 00:00:00 2001 From: stevenhorsman Date: Wed, 21 Jan 2026 15:07:01 +0000 Subject: [PATCH] workflows: Add concurrency limits It is good practice to add concurrency limits to automatically cancel jobs that have been superceded and potentially stop race conditions if we try and get artifacts by workflows and job id rather than run id. See https://docs.zizmor.sh/audits/#concurrency-limits Assisted-by: IBM Bob Signed-off-by: stevenhorsman --- .github/workflows/basic-ci-amd64.yaml | 25 ++++++++++++ .github/workflows/basic-ci-s390x.yaml | 10 +++++ .../build-checks-preview-riscv64.yaml | 8 +++- .github/workflows/build-checks.yaml | 9 ++++- .../build-kata-static-tarball-amd64.yaml | 19 ++++++++++ .../build-kata-static-tarball-arm64.yaml | 13 +++++++ .../build-kata-static-tarball-ppc64le.yaml | 13 +++++++ .../build-kata-static-tarball-riscv64.yaml | 7 ++++ .../build-kata-static-tarball-s390x.yaml | 13 +++++++ .github/workflows/build-kubectl-image.yaml | 4 ++ .github/workflows/ci-devel.yaml | 4 ++ .github/workflows/ci-nightly-s390x.yaml | 4 ++ .github/workflows/ci-weekly.yaml | 6 ++- .github/workflows/ci.yaml | 38 +++++++++++++------ .github/workflows/cleanup-resources.yaml | 4 ++ .github/workflows/codeql.yml | 4 ++ .github/workflows/docs-url-alive-check.yaml | 4 ++ .github/workflows/docs.yaml | 2 + .github/workflows/gatekeeper-skipper.yaml | 4 ++ .github/workflows/govulncheck.yaml | 6 ++- .github/workflows/osv-scanner.yaml | 4 ++ .../publish-kata-deploy-payload.yaml | 4 ++ .../workflows/push-oras-tarball-cache.yaml | 4 ++ .github/workflows/release-amd64.yaml | 4 ++ .github/workflows/release-arm64.yaml | 4 ++ .github/workflows/release-ppc64le.yaml | 4 ++ .github/workflows/release-s390x.yaml | 4 ++ .github/workflows/release.yaml | 4 ++ .../workflows/run-cri-containerd-tests.yaml | 8 +++- .github/workflows/run-k8s-tests-on-aks.yaml | 8 +++- .github/workflows/run-k8s-tests-on-arm64.yaml | 7 ++++ .../run-k8s-tests-on-free-runner.yaml | 7 ++++ .../run-k8s-tests-on-nvidia-gpu.yaml | 7 ++++ .../workflows/run-k8s-tests-on-ppc64le.yaml | 7 ++++ .github/workflows/run-k8s-tests-on-zvsi.yaml | 7 ++++ .../run-kata-coco-stability-tests.yaml | 9 ++++- .github/workflows/run-kata-coco-tests.yaml | 18 ++++++++- .../run-kata-deploy-tests-on-aks.yaml | 9 ++++- .github/workflows/run-kata-deploy-tests.yaml | 7 ++++ .github/workflows/run-kata-monitor-tests.yaml | 7 ++++ .github/workflows/run-metrics.yaml | 4 ++ .github/workflows/scorecard.yaml | 4 ++ 42 files changed, 316 insertions(+), 22 deletions(-) diff --git a/.github/workflows/basic-ci-amd64.yaml b/.github/workflows/basic-ci-amd64.yaml index 29acac0c31..898baaf24b 100644 --- a/.github/workflows/basic-ci-amd64.yaml +++ b/.github/workflows/basic-ci-amd64.yaml @@ -15,6 +15,10 @@ on: permissions: {} +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-basic-amd64 + cancel-in-progress: true + jobs: run-containerd-sandboxapi: name: run-containerd-sandboxapi @@ -26,6 +30,9 @@ jobs: matrix: containerd_version: ['active'] vmm: ['dragonball', 'cloud-hypervisor', 'qemu-runtime-rs'] + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-sandboxapi-amd64-${{ toJSON(matrix) }} + cancel-in-progress: true # TODO: enable me when https://github.com/containerd/containerd/issues/11640 is fixed if: false runs-on: ubuntu-22.04 @@ -89,6 +96,9 @@ jobs: matrix: containerd_version: ['lts', 'active'] vmm: ['clh', 'cloud-hypervisor', 'dragonball', 'qemu', 'qemu-runtime-rs'] + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-run-containerd-stability-amd64-${{ toJSON(matrix) }} + cancel-in-progress: true runs-on: ubuntu-22.04 env: CONTAINERD_VERSION: ${{ matrix.containerd_version }} @@ -135,6 +145,9 @@ jobs: matrix: containerd_version: ['lts', 'active'] vmm: ['clh', 'qemu', 'dragonball', 'qemu-runtime-rs'] + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-run-nydus-amd64-${{ toJSON(matrix) }} + cancel-in-progress: true runs-on: ubuntu-22.04 env: CONTAINERD_VERSION: ${{ matrix.containerd_version }} @@ -188,6 +201,9 @@ jobs: vmm: - clh # cloud-hypervisor - qemu + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-tracing-amd64-${{ toJSON(matrix) }} + cancel-in-progress: true # TODO: enable me when https://github.com/kata-containers/kata-containers/issues/9763 is fixed # TODO: Transition to free runner (see #9940). if: false @@ -233,6 +249,9 @@ jobs: vmm: - clh - qemu + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-vfio-amd64-${{ toJSON(matrix) }} + cancel-in-progress: true # TODO: enable with clh when https://github.com/kata-containers/kata-containers/issues/9764 is fixed # TODO: enable with qemu when https://github.com/kata-containers/kata-containers/issues/9851 is fixed # TODO: Transition to free runner (see #9940). @@ -327,6 +346,9 @@ jobs: - qemu - cloud-hypervisor - qemu-runtime-rs + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-nerdctl-amd64-${{ toJSON(matrix) }} + cancel-in-progress: true runs-on: ubuntu-22.04 env: KATA_HYPERVISOR: ${{ matrix.vmm }} @@ -377,6 +399,9 @@ jobs: run-kata-agent-apis: name: run-kata-agent-apis runs-on: ubuntu-22.04 + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-agent-api-amd64 + cancel-in-progress: true steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/basic-ci-s390x.yaml b/.github/workflows/basic-ci-s390x.yaml index bb45665e0d..5bf4293043 100644 --- a/.github/workflows/basic-ci-s390x.yaml +++ b/.github/workflows/basic-ci-s390x.yaml @@ -13,6 +13,10 @@ on: type: string default: "" +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-s390x + cancel-in-progress: true + permissions: {} jobs: @@ -26,6 +30,9 @@ jobs: matrix: containerd_version: ['active'] vmm: ['qemu-runtime-rs'] + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-s390x-${{ toJSON(matrix) }} + cancel-in-progress: true # TODO: enable me when https://github.com/containerd/containerd/issues/11640 is fixed if: false runs-on: s390x-large @@ -89,6 +96,9 @@ jobs: matrix: containerd_version: ['lts', 'active'] vmm: ['qemu'] + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-s390x-${{ toJSON(matrix) }} + cancel-in-progress: true runs-on: s390x-large env: CONTAINERD_VERSION: ${{ matrix.containerd_version }} diff --git a/.github/workflows/build-checks-preview-riscv64.yaml b/.github/workflows/build-checks-preview-riscv64.yaml index 4d40a326f9..6a889c475f 100644 --- a/.github/workflows/build-checks-preview-riscv64.yaml +++ b/.github/workflows/build-checks-preview-riscv64.yaml @@ -12,6 +12,10 @@ on: required: true type: string +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-riscv64 + cancel-in-progress: true + permissions: {} name: Build checks preview riscv64 @@ -63,7 +67,9 @@ jobs: path: src/runtime-rs needs: - rust - + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ inputs.instance }}-${{ toJSON(matrix) }} + cancel-in-progress: true steps: - name: Adjust a permission for repo run: | diff --git a/.github/workflows/build-checks.yaml b/.github/workflows/build-checks.yaml index f8259fd5fb..c417c5241b 100644 --- a/.github/workflows/build-checks.yaml +++ b/.github/workflows/build-checks.yaml @@ -5,8 +5,11 @@ on: required: true type: string -permissions: {} +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-build-checks + cancel-in-progress: true +permissions: {} name: Build checks jobs: @@ -75,7 +78,9 @@ jobs: - protobuf-compiler instance: - ${{ inputs.instance }} - + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ inputs.instance }}-${{ toJSON(matrix) }} + cancel-in-progress: true steps: - name: Adjust a permission for repo run: | diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml index 4c8b4eddd5..c57f2acbee 100644 --- a/.github/workflows/build-kata-static-tarball-amd64.yaml +++ b/.github/workflows/build-kata-static-tarball-amd64.yaml @@ -28,6 +28,10 @@ on: permissions: {} +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-tarball-amd64 + cancel-in-progress: true + jobs: build-asset: name: build-asset @@ -64,6 +68,9 @@ jobs: exclude: - asset: cloud-hypervisor-glibc stage: release + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-amd64-${{ toJSON(matrix) }} + cancel-in-progress: true env: PERFORM_ATTESTATION: ${{ matrix.asset == 'agent' && inputs.push-to-registry == 'yes' && 'yes' || 'no' }} steps: @@ -169,6 +176,9 @@ jobs: - rootfs-image-nvidia-gpu-confidential - rootfs-initrd - rootfs-initrd-confidential + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-amd64-${{ toJSON(matrix) }} + cancel-in-progress: true steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} @@ -236,6 +246,9 @@ jobs: - coco-guest-components - kernel-nvidia-gpu-modules - pause-image + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-amd64-${{ toJSON(matrix) }} + cancel-in-progress: true steps: - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0 with: @@ -250,6 +263,9 @@ jobs: matrix: asset: - agent + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ toJSON(matrix) }} + cancel-in-progress: true steps: - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0 if: ${{ inputs.stage == 'release' }} @@ -382,6 +398,9 @@ jobs: - trace-forwarder stage: - ${{ inputs.stage }} + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-amd64-${{ toJSON(matrix) }} + cancel-in-progress: true steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} diff --git a/.github/workflows/build-kata-static-tarball-arm64.yaml b/.github/workflows/build-kata-static-tarball-arm64.yaml index e1d2de97d5..e2922557d9 100644 --- a/.github/workflows/build-kata-static-tarball-arm64.yaml +++ b/.github/workflows/build-kata-static-tarball-arm64.yaml @@ -28,6 +28,10 @@ on: permissions: {} +concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-arm64 + cancel-in-progress: true + jobs: build-asset: name: build-asset @@ -53,6 +57,9 @@ jobs: - ovmf - qemu - virtiofsd + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-arm64-${{ toJSON(matrix) }} + cancel-in-progress: true env: PERFORM_ATTESTATION: ${{ matrix.asset == 'agent' && inputs.push-to-registry == 'yes' && 'yes' || 'no' }} steps: @@ -153,6 +160,9 @@ jobs: - rootfs-image - rootfs-image-nvidia-gpu - rootfs-initrd + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-arm-${{ toJSON(matrix) }} + cancel-in-progress: true steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} @@ -217,6 +227,9 @@ jobs: asset: - busybox - kernel-nvidia-gpu-modules + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-arm-${{ toJSON(matrix) }} + cancel-in-progress: true steps: - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0 with: diff --git a/.github/workflows/build-kata-static-tarball-ppc64le.yaml b/.github/workflows/build-kata-static-tarball-ppc64le.yaml index fd0750d717..1fd2e2d211 100644 --- a/.github/workflows/build-kata-static-tarball-ppc64le.yaml +++ b/.github/workflows/build-kata-static-tarball-ppc64le.yaml @@ -26,6 +26,10 @@ on: permissions: {} +concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-ppc64le + cancel-in-progress: true + jobs: build-asset: name: build-asset @@ -42,6 +46,9 @@ jobs: - virtiofsd stage: - ${{ inputs.stage }} + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-ppc64le-${{ toJSON(matrix) }} + cancel-in-progress: true steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} @@ -100,6 +107,9 @@ jobs: - rootfs-initrd stage: - ${{ inputs.stage }} + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-ppc64le-${{ toJSON(matrix) }} + cancel-in-progress: true steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} @@ -162,6 +172,9 @@ jobs: matrix: asset: - agent + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-ppc64le-${{ toJSON(matrix) }} + cancel-in-progress: true steps: - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0 if: ${{ inputs.stage == 'release' }} diff --git a/.github/workflows/build-kata-static-tarball-riscv64.yaml b/.github/workflows/build-kata-static-tarball-riscv64.yaml index 3b955812f5..ea99f803c9 100644 --- a/.github/workflows/build-kata-static-tarball-riscv64.yaml +++ b/.github/workflows/build-kata-static-tarball-riscv64.yaml @@ -21,6 +21,10 @@ on: type: string default: "" +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-tarball-riscv64 + cancel-in-progress: true + permissions: {} jobs: @@ -37,6 +41,9 @@ jobs: asset: - kernel - virtiofsd + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-riscv-${{ toJSON(matrix) }} + cancel-in-progress: true steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/build-kata-static-tarball-s390x.yaml b/.github/workflows/build-kata-static-tarball-s390x.yaml index 0393dfd31b..db10b070c3 100644 --- a/.github/workflows/build-kata-static-tarball-s390x.yaml +++ b/.github/workflows/build-kata-static-tarball-s390x.yaml @@ -29,6 +29,10 @@ on: permissions: {} +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-tarball-s390x + cancel-in-progress: true + jobs: build-asset: name: build-asset @@ -47,6 +51,9 @@ jobs: - pause-image - qemu - virtiofsd + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-s390x-${{ toJSON(matrix) }} + cancel-in-progress: true env: PERFORM_ATTESTATION: ${{ matrix.asset == 'agent' && inputs.push-to-registry == 'yes' && 'yes' || 'no' }} steps: @@ -134,6 +141,9 @@ jobs: - rootfs-image-confidential - rootfs-initrd - rootfs-initrd-confidential + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-s390x-${{ toJSON(matrix) }} + cancel-in-progress: true steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} @@ -248,6 +258,9 @@ jobs: - agent - coco-guest-components - pause-image + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-s390x-${{ toJSON(matrix) }} + cancel-in-progress: true steps: - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0 if: ${{ inputs.stage == 'release' }} diff --git a/.github/workflows/build-kubectl-image.yaml b/.github/workflows/build-kubectl-image.yaml index fd079d8f8a..d68bc08b5f 100644 --- a/.github/workflows/build-kubectl-image.yaml +++ b/.github/workflows/build-kubectl-image.yaml @@ -15,6 +15,10 @@ on: permissions: {} +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-kubectl-image + cancel-in-progress: true + env: REGISTRY: quay.io IMAGE_NAME: kata-containers/kubectl diff --git a/.github/workflows/ci-devel.yaml b/.github/workflows/ci-devel.yaml index 7042a2ccee..c678106947 100644 --- a/.github/workflows/ci-devel.yaml +++ b/.github/workflows/ci-devel.yaml @@ -2,6 +2,10 @@ name: Kata Containers CI (manually triggered) on: workflow_dispatch: +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-devel + cancel-in-progress: true + permissions: {} jobs: diff --git a/.github/workflows/ci-nightly-s390x.yaml b/.github/workflows/ci-nightly-s390x.yaml index 4249821827..33d656ceb2 100644 --- a/.github/workflows/ci-nightly-s390x.yaml +++ b/.github/workflows/ci-nightly-s390x.yaml @@ -6,6 +6,10 @@ name: Nightly CI for s390x permissions: {} +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-nightly-s390x + cancel-in-progress: true + jobs: check-internal-test-result: name: check-internal-test-result diff --git a/.github/workflows/ci-weekly.yaml b/.github/workflows/ci-weekly.yaml index a5d90303b0..ceb5d527b2 100644 --- a/.github/workflows/ci-weekly.yaml +++ b/.github/workflows/ci-weekly.yaml @@ -22,7 +22,7 @@ on: AZ_APPID: required: true AZ_TENANT_ID: - required: true + required: true AZ_SUBSCRIPTION_ID: required: true QUAY_DEPLOYER_PASSWORD: @@ -32,6 +32,10 @@ on: permissions: {} +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-weekly + cancel-in-progress: true + jobs: build-kata-static-tarball-amd64: permissions: diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index ec557b1cc5..79774d26c9 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -30,7 +30,7 @@ on: AZ_APPID: required: true AZ_TENANT_ID: - required: true + required: true AZ_SUBSCRIPTION_ID: required: true CI_HKD_PATH: @@ -46,6 +46,10 @@ on: permissions: {} +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-ci + cancel-in-progress: true + jobs: build-kata-static-tarball-amd64: permissions: @@ -370,7 +374,7 @@ jobs: commit-hash: ${{ inputs.commit-hash }} target-branch: ${{ inputs.target-branch }} - run-cri-containerd-amd64: + run-cri-containerd-tests-amd64: if: ${{ inputs.skip-test != 'yes' }} needs: build-kata-static-tarball-amd64 strategy: @@ -387,7 +391,10 @@ jobs: { containerd_version: active, vmm: qemu }, { containerd_version: active, vmm: cloud-hypervisor }, { containerd_version: active, vmm: qemu-runtime-rs }, - ] + ] + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-cri-amd64-${{ toJSON(matrix) }} + cancel-in-progress: true uses: ./.github/workflows/run-cri-containerd-tests.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -398,16 +405,19 @@ jobs: containerd_version: ${{ matrix.params.containerd_version }} vmm: ${{ matrix.params.vmm }} - run-cri-containerd-s390x: + run-cri-containerd-tests-s390x: if: ${{ inputs.skip-test != 'yes' }} needs: build-kata-static-tarball-s390x strategy: fail-fast: false matrix: params: [ - { containerd_version: active, vmm: qemu }, - { containerd_version: active, vmm: qemu-runtime-rs }, - ] + {containerd_version: active, vmm: qemu}, + {containerd_version: active, vmm: qemu-runtime-rs}, + ] + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ toJSON(matrix) }} + cancel-in-progress: true uses: ./.github/workflows/run-cri-containerd-tests.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -425,8 +435,11 @@ jobs: fail-fast: false matrix: params: [ - { containerd_version: active, vmm: qemu }, - ] + {containerd_version: active, vmm: qemu}, + ] + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-cri-ppc64le-${{ toJSON(matrix) }} + cancel-in-progress: true uses: ./.github/workflows/run-cri-containerd-tests.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -444,8 +457,11 @@ jobs: fail-fast: false matrix: params: [ - { containerd_version: active, vmm: qemu }, - ] + {containerd_version: active, vmm: qemu}, + ] + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-cri-arm64-${{ toJSON(matrix) }} + cancel-in-progress: true uses: ./.github/workflows/run-cri-containerd-tests.yaml with: tarball-suffix: -${{ inputs.tag }} diff --git a/.github/workflows/cleanup-resources.yaml b/.github/workflows/cleanup-resources.yaml index 95f47fb5b2..f25413a52c 100644 --- a/.github/workflows/cleanup-resources.yaml +++ b/.github/workflows/cleanup-resources.yaml @@ -4,6 +4,10 @@ on: - cron: "0 0 * * *" workflow_dispatch: +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + permissions: {} jobs: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e452aee3c2..441dbcd4c3 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -19,6 +19,10 @@ on: schedule: - cron: '45 0 * * 1' +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + permissions: {} diff --git a/.github/workflows/docs-url-alive-check.yaml b/.github/workflows/docs-url-alive-check.yaml index 01d83df73d..99f7eb99f8 100644 --- a/.github/workflows/docs-url-alive-check.yaml +++ b/.github/workflows/docs-url-alive-check.yaml @@ -3,6 +3,10 @@ on: - cron: '0 23 * * 0' workflow_dispatch: +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + permissions: {} name: Docs URL Alive Check diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 73bb6e9771..03d20e189f 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -3,7 +3,9 @@ on: push: branches: - main + permissions: {} + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/gatekeeper-skipper.yaml b/.github/workflows/gatekeeper-skipper.yaml index ab16c11232..c4a839ec72 100644 --- a/.github/workflows/gatekeeper-skipper.yaml +++ b/.github/workflows/gatekeeper-skipper.yaml @@ -31,6 +31,10 @@ on: skip_static: value: ${{ jobs.skipper.outputs.skip_static }} +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-gatekeeper-skipper + cancel-in-progress: true + permissions: {} jobs: diff --git a/.github/workflows/govulncheck.yaml b/.github/workflows/govulncheck.yaml index 8a5d40c379..a51cc364f2 100644 --- a/.github/workflows/govulncheck.yaml +++ b/.github/workflows/govulncheck.yaml @@ -3,6 +3,10 @@ on: name: Govulncheck +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + permissions: {} jobs: @@ -22,7 +26,7 @@ jobs: steps: - name: Checkout the code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 persist-credentials: false diff --git a/.github/workflows/osv-scanner.yaml b/.github/workflows/osv-scanner.yaml index 7dc59e0318..3158df9502 100644 --- a/.github/workflows/osv-scanner.yaml +++ b/.github/workflows/osv-scanner.yaml @@ -15,6 +15,10 @@ on: push: branches: [ "main" ] +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-osv-scanner + cancel-in-progress: true + permissions: {} jobs: diff --git a/.github/workflows/publish-kata-deploy-payload.yaml b/.github/workflows/publish-kata-deploy-payload.yaml index 6c6310a4e2..b2ec84b49d 100644 --- a/.github/workflows/publish-kata-deploy-payload.yaml +++ b/.github/workflows/publish-kata-deploy-payload.yaml @@ -34,6 +34,10 @@ on: QUAY_DEPLOYER_PASSWORD: required: true +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ inputs.arch }}-publish-deploy + cancel-in-progress: true + permissions: {} jobs: diff --git a/.github/workflows/push-oras-tarball-cache.yaml b/.github/workflows/push-oras-tarball-cache.yaml index c071dfaf2c..6b9c5597b4 100644 --- a/.github/workflows/push-oras-tarball-cache.yaml +++ b/.github/workflows/push-oras-tarball-cache.yaml @@ -12,6 +12,10 @@ on: permissions: {} +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + jobs: push-oras-cache: name: push-oras-cache diff --git a/.github/workflows/release-amd64.yaml b/.github/workflows/release-amd64.yaml index 25e2bdfd79..8cc8ed9f32 100644 --- a/.github/workflows/release-amd64.yaml +++ b/.github/workflows/release-amd64.yaml @@ -11,6 +11,10 @@ on: KBUILD_SIGN_PIN: required: true +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: false # Note - don't cancel the in progress build as we could end up with inconsistent results + permissions: {} jobs: diff --git a/.github/workflows/release-arm64.yaml b/.github/workflows/release-arm64.yaml index e9276ae960..45c7d05707 100644 --- a/.github/workflows/release-arm64.yaml +++ b/.github/workflows/release-arm64.yaml @@ -11,6 +11,10 @@ on: KBUILD_SIGN_PIN: required: true +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: false # Note - don't cancel the in progress build as we could end up with inconsistent results + permissions: {} jobs: diff --git a/.github/workflows/release-ppc64le.yaml b/.github/workflows/release-ppc64le.yaml index 818c6c6266..cd96a2a99b 100644 --- a/.github/workflows/release-ppc64le.yaml +++ b/.github/workflows/release-ppc64le.yaml @@ -9,6 +9,10 @@ on: QUAY_DEPLOYER_PASSWORD: required: true +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: false # Note - don't cancel the in progress build as we could end up with inconsistent results + permissions: {} jobs: diff --git a/.github/workflows/release-s390x.yaml b/.github/workflows/release-s390x.yaml index ebfafeba59..99fc53c8ad 100644 --- a/.github/workflows/release-s390x.yaml +++ b/.github/workflows/release-s390x.yaml @@ -11,6 +11,10 @@ on: QUAY_DEPLOYER_PASSWORD: required: true +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: false # Note - don't cancel the in progress build as we could end up with inconsistent results + permissions: {} jobs: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 880651e59e..588af80a70 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -2,6 +2,10 @@ name: Release Kata Containers on: workflow_dispatch +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: false # Note - don't cancel the in progress build as we could end up with inconsistent results + permissions: {} jobs: diff --git a/.github/workflows/run-cri-containerd-tests.yaml b/.github/workflows/run-cri-containerd-tests.yaml index 635540e2c2..ff9bb5ea2a 100644 --- a/.github/workflows/run-cri-containerd-tests.yaml +++ b/.github/workflows/run-cri-containerd-tests.yaml @@ -1,7 +1,5 @@ name: CI | Run cri-containerd tests -permissions: {} - on: workflow_call: inputs: @@ -32,6 +30,12 @@ on: required: true type: string +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-cri-tests-${{ toJSON(inputs) }} + cancel-in-progress: true + +permissions: {} + jobs: run-cri-containerd: name: run-cri-containerd-${{ inputs.arch }} (${{ inputs.containerd_version }}, ${{ inputs.vmm }}) diff --git a/.github/workflows/run-k8s-tests-on-aks.yaml b/.github/workflows/run-k8s-tests-on-aks.yaml index 561c8aec9e..2e11d85edf 100644 --- a/.github/workflows/run-k8s-tests-on-aks.yaml +++ b/.github/workflows/run-k8s-tests-on-aks.yaml @@ -29,10 +29,13 @@ on: AZ_APPID: required: true AZ_TENANT_ID: - required: true + required: true AZ_SUBSCRIPTION_ID: required: true +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-aks + cancel-in-progress: true permissions: {} @@ -54,6 +57,9 @@ jobs: - host_os: cbl-mariner vmm: clh instance-type: normal + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-run-k8s-tests-aks-${{ toJSON(matrix) }} + cancel-in-progress: true runs-on: ubuntu-22.04 permissions: contents: read diff --git a/.github/workflows/run-k8s-tests-on-arm64.yaml b/.github/workflows/run-k8s-tests-on-arm64.yaml index 1a4c81ecc5..b7d33d9a56 100644 --- a/.github/workflows/run-k8s-tests-on-arm64.yaml +++ b/.github/workflows/run-k8s-tests-on-arm64.yaml @@ -22,6 +22,10 @@ on: type: string default: "" +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-k8s-arm64 + cancel-in-progress: true + permissions: {} jobs: @@ -35,6 +39,9 @@ jobs: - qemu-runtime-rs k8s: - kubeadm + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-arm64-${{ toJSON(matrix) }} + cancel-in-progress: true runs-on: arm64-k8s env: DOCKER_REGISTRY: ${{ inputs.registry }} diff --git a/.github/workflows/run-k8s-tests-on-free-runner.yaml b/.github/workflows/run-k8s-tests-on-free-runner.yaml index 23b738b7b6..b73abb3c0b 100644 --- a/.github/workflows/run-k8s-tests-on-free-runner.yaml +++ b/.github/workflows/run-k8s-tests-on-free-runner.yaml @@ -27,6 +27,10 @@ on: type: string default: "" +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-free-runner + cancel-in-progress: true + permissions: {} jobs: @@ -47,6 +51,9 @@ jobs: { vmm: cloud-hypervisor, containerd_version: lts }, { vmm: cloud-hypervisor, containerd_version: active }, ] + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-free-runner-${{ toJSON(matrix) }} + cancel-in-progress: true runs-on: ubuntu-24.04 permissions: contents: read diff --git a/.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml b/.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml index 5a6da266b4..8a10acf316 100644 --- a/.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml +++ b/.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml @@ -28,6 +28,10 @@ on: NGC_API_KEY: required: true +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-nvidia-gpu + cancel-in-progress: true + permissions: {} jobs: @@ -40,6 +44,9 @@ jobs: { name: nvidia-gpu, vmm: qemu-nvidia-gpu, runner: amd64-nvidia-a100 }, { name: nvidia-gpu-snp, vmm: qemu-nvidia-gpu-snp, runner: amd64-nvidia-h100-snp }, ] + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ toJSON(matrix) }} + cancel-in-progress: true runs-on: ${{ matrix.environment.runner }} env: DOCKER_REGISTRY: ${{ inputs.registry }} diff --git a/.github/workflows/run-k8s-tests-on-ppc64le.yaml b/.github/workflows/run-k8s-tests-on-ppc64le.yaml index 673f5306bd..1f4fef117f 100644 --- a/.github/workflows/run-k8s-tests-on-ppc64le.yaml +++ b/.github/workflows/run-k8s-tests-on-ppc64le.yaml @@ -22,6 +22,10 @@ on: type: string default: "" +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-ppc64le + cancel-in-progress: true + permissions: {} jobs: @@ -34,6 +38,9 @@ jobs: - qemu k8s: - kubeadm + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-ppc64le-${{ toJSON(matrix) }} + cancel-in-progress: true runs-on: ppc64le-k8s env: DOCKER_REGISTRY: ${{ inputs.registry }} diff --git a/.github/workflows/run-k8s-tests-on-zvsi.yaml b/.github/workflows/run-k8s-tests-on-zvsi.yaml index 88cf3ed7af..e42f5dfcfd 100644 --- a/.github/workflows/run-k8s-tests-on-zvsi.yaml +++ b/.github/workflows/run-k8s-tests-on-zvsi.yaml @@ -25,6 +25,10 @@ on: AUTHENTICATED_IMAGE_PASSWORD: required: true +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-zvsi + cancel-in-progress: true + permissions: {} jobs: @@ -63,6 +67,9 @@ jobs: vmm: qemu - snapshotter: nydus vmm: qemu-runtime-rs + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-zvsi-${{ toJSON(matrix) }} + cancel-in-progress: true runs-on: s390x-large env: DOCKER_REGISTRY: ${{ inputs.registry }} diff --git a/.github/workflows/run-kata-coco-stability-tests.yaml b/.github/workflows/run-kata-coco-stability-tests.yaml index 8753c2c6bb..ba9a5aea1b 100644 --- a/.github/workflows/run-kata-coco-stability-tests.yaml +++ b/.github/workflows/run-kata-coco-stability-tests.yaml @@ -29,12 +29,16 @@ on: AZ_APPID: required: true AZ_TENANT_ID: - required: true + required: true AZ_SUBSCRIPTION_ID: required: true AUTHENTICATED_IMAGE_PASSWORD: required: true +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-coco-stability + cancel-in-progress: true + permissions: {} jobs: @@ -51,6 +55,9 @@ jobs: - nydus pull-type: - guest-pull + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ toJSON(matrix) }} + cancel-in-progress: true runs-on: ubuntu-22.04 permissions: diff --git a/.github/workflows/run-kata-coco-tests.yaml b/.github/workflows/run-kata-coco-tests.yaml index ad267ab3de..fd4ddebbe9 100644 --- a/.github/workflows/run-kata-coco-tests.yaml +++ b/.github/workflows/run-kata-coco-tests.yaml @@ -34,12 +34,16 @@ on: AZ_APPID: required: true AZ_TENANT_ID: - required: true + required: true AZ_SUBSCRIPTION_ID: required: true ITA_KEY: required: true +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-coco + cancel-in-progress: true + permissions: {} jobs: @@ -55,6 +59,9 @@ jobs: vmm: qemu-snp - runner: sev-snp vmm: qemu-snp-runtime-rs + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ toJSON(matrix) }} + cancel-in-progress: true runs-on: ${{ matrix.runner }} env: DOCKER_REGISTRY: ${{ inputs.registry }} @@ -143,6 +150,9 @@ jobs: { vmm: qemu-coco-dev-runtime-rs, snapshotter: nydus, pull_type: guest-pull }, { vmm: qemu-coco-dev, snapshotter: "", pull_type: experimental-force-guest-pull }, ] + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ toJSON(matrix) }} + cancel-in-progress: true runs-on: ubuntu-24.04 permissions: contents: read @@ -270,6 +280,9 @@ jobs: { k8s: microk8s, vmm: qemu-coco-dev, snapshotter: "", pull_type: experimental-force-guest-pull }, { k8s: microk8s, vmm: qemu-coco-dev-runtime-rs, snapshotter: nydus, pull_type: guest-pull }, ] + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ toJSON(matrix) }} + cancel-in-progress: true runs-on: ubuntu-24.04 permissions: contents: read @@ -384,6 +397,9 @@ jobs: - erofs pull-type: - default + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true runs-on: ubuntu-24.04 environment: name: ci diff --git a/.github/workflows/run-kata-deploy-tests-on-aks.yaml b/.github/workflows/run-kata-deploy-tests-on-aks.yaml index f19e65e180..0fa5e0dbdb 100644 --- a/.github/workflows/run-kata-deploy-tests-on-aks.yaml +++ b/.github/workflows/run-kata-deploy-tests-on-aks.yaml @@ -25,10 +25,14 @@ on: AZ_APPID: required: true AZ_TENANT_ID: - required: true + required: true AZ_SUBSCRIPTION_ID: required: true +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-kata-deploy-aks + cancel-in-progress: true + permissions: {} jobs: @@ -47,6 +51,9 @@ jobs: include: - host_os: cbl-mariner vmm: clh + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ toJSON(matrix) }} + cancel-in-progress: true runs-on: ubuntu-22.04 environment: name: ci diff --git a/.github/workflows/run-kata-deploy-tests.yaml b/.github/workflows/run-kata-deploy-tests.yaml index 2554257888..4a53c2552c 100644 --- a/.github/workflows/run-kata-deploy-tests.yaml +++ b/.github/workflows/run-kata-deploy-tests.yaml @@ -22,6 +22,10 @@ on: type: string default: "" +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-kata-deploy + cancel-in-progress: true + permissions: {} jobs: @@ -37,6 +41,9 @@ jobs: - k3s - rke2 - microk8s + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ toJSON(matrix) }} + cancel-in-progress: true runs-on: ubuntu-22.04 env: DOCKER_REGISTRY: ${{ inputs.registry }} diff --git a/.github/workflows/run-kata-monitor-tests.yaml b/.github/workflows/run-kata-monitor-tests.yaml index 6d0a91788c..37d964eb72 100644 --- a/.github/workflows/run-kata-monitor-tests.yaml +++ b/.github/workflows/run-kata-monitor-tests.yaml @@ -13,6 +13,10 @@ on: type: string default: "" +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-kata-monitor + cancel-in-progress: true + permissions: {} jobs: @@ -34,6 +38,9 @@ jobs: # TODO: enable with containerd when https://github.com/kata-containers/kata-containers/issues/9761 is fixed - container_engine: containerd vmm: qemu + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ toJSON(matrix) }} + cancel-in-progress: true runs-on: ubuntu-22.04 env: CONTAINER_ENGINE: ${{ matrix.container_engine }} diff --git a/.github/workflows/run-metrics.yaml b/.github/workflows/run-metrics.yaml index 76725119f5..0cae90bb00 100644 --- a/.github/workflows/run-metrics.yaml +++ b/.github/workflows/run-metrics.yaml @@ -22,6 +22,10 @@ on: type: string default: "" +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-metrics + cancel-in-progress: true + permissions: {} jobs: diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index 1f30fc2d67..5a024a170b 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -11,6 +11,10 @@ on: branches: [ "main" ] workflow_dispatch: +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + permissions: {} jobs: