From fc1de998bcac7bc7f39d0d47b07fa499918f1476 Mon Sep 17 00:00:00 2001 From: stevenhorsman Date: Wed, 21 Jan 2026 15:07:01 +0000 Subject: [PATCH] WIP: workflows: Add concurrency limits It is good practice to add concurrency limits to automatically cancel jobs that have been superceded and potentially stop race conditions if we try and get artifacts by workflows and job id rather than run id. See https://docs.zizmor.sh/audits/#concurrency-limits Signed-off-by: stevenhorsman --- .github/workflows/build-checks.yaml | 5 +++-- .github/workflows/cleanup-resources.yaml | 4 ++++ .github/workflows/codeql.yml | 4 ++++ .github/workflows/docs-url-alive-check.yaml | 4 ++++ .github/workflows/docs.yaml | 5 +++++ .github/workflows/gatekeeper-skipper.yaml | 4 ++++ .github/workflows/govulncheck.yaml | 4 ++++ .github/workflows/publish-kata-deploy-payload.yaml | 4 ++++ .github/workflows/run-kata-monitor-tests.yaml | 4 ++++ .github/workflows/run-metrics.yaml | 4 ++++ .github/workflows/scorecard.yaml | 4 ++++ .github/workflows/stale.yaml | 4 ++++ src/runtime/pkg/govmm/.github/workflows/main.yml | 4 ++++ 13 files changed, 52 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-checks.yaml b/.github/workflows/build-checks.yaml index e7651e586d..74d336c439 100644 --- a/.github/workflows/build-checks.yaml +++ b/.github/workflows/build-checks.yaml @@ -7,7 +7,6 @@ on: permissions: {} - name: Build checks jobs: check: @@ -75,7 +74,9 @@ jobs: - protobuf-compiler instance: - ${{ inputs.instance }} - + concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.component.name }}-${{ matrix.command }} + cancel-in-progress: true steps: - name: Adjust a permission for repo run: | diff --git a/.github/workflows/cleanup-resources.yaml b/.github/workflows/cleanup-resources.yaml index 77d623fb87..71604adfd7 100644 --- a/.github/workflows/cleanup-resources.yaml +++ b/.github/workflows/cleanup-resources.yaml @@ -4,6 +4,10 @@ on: - cron: "0 0 * * *" workflow_dispatch: +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + permissions: {} jobs: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a273da590b..ed403959e3 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -19,6 +19,10 @@ on: schedule: - cron: '45 0 * * 1' +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + permissions: {} diff --git a/.github/workflows/docs-url-alive-check.yaml b/.github/workflows/docs-url-alive-check.yaml index 4874f33b4d..f25ad4be88 100644 --- a/.github/workflows/docs-url-alive-check.yaml +++ b/.github/workflows/docs-url-alive-check.yaml @@ -3,6 +3,10 @@ on: - cron: '0 23 * * 0' workflow_dispatch: +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + permissions: {} name: Docs URL Alive Check diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 29543e5692..4d40180ae4 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -3,6 +3,11 @@ on: push: branches: - main + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + permissions: {} jobs: deploy-docs: diff --git a/.github/workflows/gatekeeper-skipper.yaml b/.github/workflows/gatekeeper-skipper.yaml index 78017f86a3..9128cbd9ba 100644 --- a/.github/workflows/gatekeeper-skipper.yaml +++ b/.github/workflows/gatekeeper-skipper.yaml @@ -31,6 +31,10 @@ on: skip_static: value: ${{ jobs.skipper.outputs.skip_static }} +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + permissions: {} jobs: diff --git a/.github/workflows/govulncheck.yaml b/.github/workflows/govulncheck.yaml index 8a5d40c379..c1594d1063 100644 --- a/.github/workflows/govulncheck.yaml +++ b/.github/workflows/govulncheck.yaml @@ -3,6 +3,10 @@ on: name: Govulncheck +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + permissions: {} jobs: diff --git a/.github/workflows/publish-kata-deploy-payload.yaml b/.github/workflows/publish-kata-deploy-payload.yaml index 3561585afb..45af7760d4 100644 --- a/.github/workflows/publish-kata-deploy-payload.yaml +++ b/.github/workflows/publish-kata-deploy-payload.yaml @@ -34,6 +34,10 @@ on: QUAY_DEPLOYER_PASSWORD: required: true +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + permissions: {} jobs: diff --git a/.github/workflows/run-kata-monitor-tests.yaml b/.github/workflows/run-kata-monitor-tests.yaml index aacf4b09fb..d6f27741ae 100644 --- a/.github/workflows/run-kata-monitor-tests.yaml +++ b/.github/workflows/run-kata-monitor-tests.yaml @@ -13,6 +13,10 @@ on: type: string default: "" +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + permissions: {} jobs: diff --git a/.github/workflows/run-metrics.yaml b/.github/workflows/run-metrics.yaml index 519440bdaf..dfc51c068f 100644 --- a/.github/workflows/run-metrics.yaml +++ b/.github/workflows/run-metrics.yaml @@ -22,6 +22,10 @@ on: type: string default: "" +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + permissions: {} jobs: diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index 86c766fc26..78005e54b9 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -11,6 +11,10 @@ on: branches: [ "main" ] workflow_dispatch: +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + permissions: {} jobs: diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index 4dea779f86..b2c0a0938c 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -4,6 +4,10 @@ on: - cron: '0 0 * * *' workflow_dispatch: +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + permissions: {} concurrency: diff --git a/src/runtime/pkg/govmm/.github/workflows/main.yml b/src/runtime/pkg/govmm/.github/workflows/main.yml index 7fe1cb2122..27f3729887 100644 --- a/src/runtime/pkg/govmm/.github/workflows/main.yml +++ b/src/runtime/pkg/govmm/.github/workflows/main.yml @@ -1,6 +1,10 @@ on: ["pull_request"] name: Unit tests +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + permissions: contents: read