static-build-concurrencies

!fixup: Next batch of concurrency limits
WIP: workflows: Add concurrency limits
2026-02-22 06:43:41 +00:00 · 2026-02-04 16:53:24 +00:00 · 2026-02-04 16:53:24 +00:00 · 2026-02-04 15:37:18 +00:00 · 2026-02-04 15:37:18 +00:00 · 2026-02-04 15:37:18 +00:00
34 changed files with 163 additions and 15 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -15,6 +15,8 @@ updates:
      - "/src/tools/trace-forwarder"
    schedule:
      interval: "daily"
+    cooldown:
+      default-days: 7
    ignore:
    # rust-vmm repos might cause incompatibilities on patch versions, so
    # lets handle them manually for now.
@@ -85,8 +87,12 @@ updates:
      - "src/tools/csi-kata-directvolume"
    schedule:
      interval: "daily"
+    cooldown:
+      default-days: 7

  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "monthly"
+    cooldown:
+      default-days: 7
--- a/.github/workflows/build-checks.yaml
+++ b/.github/workflows/build-checks.yaml
@@ -7,7 +7,6 @@ on:

 permissions: {}

-
 name: Build checks
 jobs:
  check:
@@ -74,7 +73,10 @@ jobs:
              - rust
              - protobuf-compiler
        instance:
-          - ${{ inputs.instance }} 
+          - ${{ inputs.instance }}
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.component.name }}-${{ matrix.command }}
+      cancel-in-progress: true

    steps:
      - name: Adjust a permission for repo
--- a/.github/workflows/build-kata-static-tarball-amd64.yaml
+++ b/.github/workflows/build-kata-static-tarball-amd64.yaml
@@ -65,6 +65,9 @@ jobs:
        exclude:
          - asset: cloud-hypervisor-glibc
            stage: release
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.asset }}
+      cancel-in-progress: true
    env:
      PERFORM_ATTESTATION: ${{ matrix.asset == 'agent' && inputs.push-to-registry == 'yes' && 'yes' || 'no' }}
    steps:
@@ -172,6 +175,9 @@ jobs:
          - rootfs-initrd-confidential
          - rootfs-initrd-nvidia-gpu
          - rootfs-initrd-nvidia-gpu-confidential
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.asset }}
+      cancel-in-progress: true
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
@@ -240,6 +246,9 @@ jobs:
          - kernel-nvidia-gpu-modules
          - kernel-nvidia-gpu-confidential-modules
          - pause-image
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.asset }}
+      cancel-in-progress: true
    steps:
      - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
        with:
@@ -254,6 +263,9 @@ jobs:
      matrix:
        asset:
          - agent
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.asset }}
+      cancel-in-progress: true
    steps:
      - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
        if: ${{ inputs.stage == 'release' }}
@@ -377,6 +389,9 @@ jobs:
          - trace-forwarder
        stage:
          - ${{ inputs.stage }}
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.asset }}
+      cancel-in-progress: true
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
--- a/.github/workflows/build-kata-static-tarball-arm64.yaml
+++ b/.github/workflows/build-kata-static-tarball-arm64.yaml
@@ -52,6 +52,9 @@ jobs:
          - ovmf
          - qemu
          - virtiofsd
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.asset }}
+      cancel-in-progress: true
    env:
      PERFORM_ATTESTATION: ${{ matrix.asset == 'agent' && inputs.push-to-registry == 'yes' && 'yes' || 'no' }}
    steps:
@@ -153,6 +156,9 @@ jobs:
          - rootfs-image-nvidia-gpu
          - rootfs-initrd
          - rootfs-initrd-nvidia-gpu
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.asset }}
+      cancel-in-progress: true
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
@@ -217,6 +223,9 @@ jobs:
        asset:
          - busybox
          - kernel-nvidia-gpu-modules
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.asset }}
+      cancel-in-progress: true
    steps:
      - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
        with:
--- a/.github/workflows/build-kata-static-tarball-ppc64le.yaml
+++ b/.github/workflows/build-kata-static-tarball-ppc64le.yaml
@@ -42,6 +42,9 @@ jobs:
          - virtiofsd
        stage:
          - ${{ inputs.stage }}
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.asset }}
+      cancel-in-progress: true
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
@@ -100,6 +103,9 @@ jobs:
          - rootfs-initrd
        stage:
          - ${{ inputs.stage }}
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.asset }}
+      cancel-in-progress: true
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
--- a/.github/workflows/build-kata-static-tarball-riscv64.yaml
+++ b/.github/workflows/build-kata-static-tarball-riscv64.yaml
@@ -37,6 +37,9 @@ jobs:
        asset:
          - kernel
          - virtiofsd
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.asset }}
+      cancel-in-progress: true
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
--- a/.github/workflows/build-kata-static-tarball-s390x.yaml
+++ b/.github/workflows/build-kata-static-tarball-s390x.yaml
@@ -48,6 +48,9 @@ jobs:
          - pause-image
          - qemu
          - virtiofsd
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.asset }}
+      cancel-in-progress: true
    env:
      PERFORM_ATTESTATION: ${{ matrix.asset == 'agent' && inputs.push-to-registry == 'yes' && 'yes' || 'no' }}
    steps:
@@ -135,6 +138,9 @@ jobs:
          - rootfs-image-confidential
          - rootfs-initrd
          - rootfs-initrd-confidential
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.asset }}
+      cancel-in-progress: true
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
@@ -249,6 +255,9 @@ jobs:
          - agent
          - coco-guest-components
          - pause-image
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.asset }}
+      cancel-in-progress: true
    steps:
      - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
        if: ${{ inputs.stage == 'release' }}
--- a/.github/workflows/cleanup-resources.yaml
+++ b/.github/workflows/cleanup-resources.yaml
@@ -4,6 +4,10 @@ on:
    - cron: "0 0 * * *"
  workflow_dispatch:

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 permissions: {}

 jobs:
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -19,6 +19,10 @@ on:
  schedule:
    - cron: '45 0 * * 1'

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 permissions: {}


@@ -72,7 +76,7 @@ jobs:

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.10
      with:
        languages: ${{ matrix.language }}
        build-mode: ${{ matrix.build-mode }}
@@ -95,6 +99,6 @@ jobs:
        make -C src/runtime

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.10
      with:
        category: "/language:${{matrix.language}}"
--- a/.github/workflows/docs-url-alive-check.yaml
+++ b/.github/workflows/docs-url-alive-check.yaml
@@ -3,6 +3,10 @@ on:
    - cron:  '0 23 * * 0'
  workflow_dispatch:

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 permissions: {}

 name: Docs URL Alive Check
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -3,6 +3,11 @@ on:
  push:
    branches:
      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 permissions: {}
 jobs:
  deploy-docs:
@@ -16,17 +21,17 @@ jobs:
      url: ${{ steps.deployment.outputs.page_url }}
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/configure-pages@v5
-      - uses: actions/checkout@v5
+      - uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          persist-credentials: false
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: 3.x
      - run: pip install zensical
      - run: zensical build --clean
-      - uses: actions/upload-pages-artifact@v4
+      - uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0
        with:
          path: site
-      - uses: actions/deploy-pages@v4
+      - uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
        id: deployment
--- a/.github/workflows/gatekeeper-skipper.yaml
+++ b/.github/workflows/gatekeeper-skipper.yaml
@@ -31,6 +31,10 @@ on:
      skip_static:
        value: ${{ jobs.skipper.outputs.skip_static }}

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 permissions: {}

 jobs:
--- a/.github/workflows/govulncheck.yaml
+++ b/.github/workflows/govulncheck.yaml
@@ -3,6 +3,10 @@ on:

 name: Govulncheck

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 permissions: {}

 jobs:
--- a/.github/workflows/publish-kata-deploy-payload.yaml
+++ b/.github/workflows/publish-kata-deploy-payload.yaml
@@ -34,6 +34,10 @@ on:
      QUAY_DEPLOYER_PASSWORD:
        required: true

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ inputs.arch }}
+  cancel-in-progress: true
+
 permissions: {}

 jobs:
--- a/.github/workflows/release-amd64.yaml
+++ b/.github/workflows/release-amd64.yaml
@@ -11,6 +11,10 @@ on:
      KBUILD_SIGN_PIN:
        required: true

+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false # Note - don't cancel the in progress build as we could end up with inconsistent results
+
 permissions: {}

 jobs:
--- a/.github/workflows/release-arm64.yaml
+++ b/.github/workflows/release-arm64.yaml
@@ -11,6 +11,10 @@ on:
      KBUILD_SIGN_PIN:
        required: true

+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false # Note - don't cancel the in progress build as we could end up with inconsistent results
+
 permissions: {}

 jobs:
--- a/.github/workflows/release-ppc64le.yaml
+++ b/.github/workflows/release-ppc64le.yaml
@@ -9,6 +9,10 @@ on:
      QUAY_DEPLOYER_PASSWORD:
        required: true

+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false # Note - don't cancel the in progress build as we could end up with inconsistent results
+
 permissions: {}

 jobs:
--- a/.github/workflows/release-s390x.yaml
+++ b/.github/workflows/release-s390x.yaml
@@ -10,6 +10,9 @@ on:
        required: true
      QUAY_DEPLOYER_PASSWORD:
        required: true
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false # Note - don't cancel the in progress build as we could end up with inconsistent results

 permissions: {}

--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -2,6 +2,10 @@ name: Release Kata Containers
 on:
  workflow_dispatch

+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false # Note - don't cancel the in progress build as we could end up with inconsistent results
+
 permissions: {}

 jobs:
--- a/.github/workflows/run-cri-containerd-tests.yaml
+++ b/.github/workflows/run-cri-containerd-tests.yaml
@@ -1,5 +1,9 @@
 name: CI | Run cri-containerd tests

+concurrency:
+  group:  ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 permissions: {}

 on:
@@ -35,8 +39,6 @@ on:
 jobs:
  run-cri-containerd:
    name: run-cri-containerd-${{ inputs.arch }} (${{ inputs.containerd_version }}, ${{ inputs.vmm }})
-    strategy:
-      fail-fast: false
    runs-on: ${{ inputs.runner }}
    env:
      CONTAINERD_VERSION: ${{ inputs.containerd_version }}
--- a/.github/workflows/run-k8s-tests-on-aks.yaml
+++ b/.github/workflows/run-k8s-tests-on-aks.yaml
@@ -65,6 +65,9 @@ jobs:
          - host_os: cbl-mariner
            vmm: clh
            instance-type: normal
+    concurrency:
+      group:  ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.vmm }}-${{ matrix.host_os }}-${{ matrix.instance-type }}
+      cancel-in-progress: true
    runs-on: ubuntu-22.04
    permissions:
      contents: read
--- a/.github/workflows/run-k8s-tests-on-arm64.yaml
+++ b/.github/workflows/run-k8s-tests-on-arm64.yaml
@@ -35,6 +35,9 @@ jobs:
          - qemu-runtime-rs
        k8s:
          - kubeadm
+    concurrency:
+      group:  ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.vmm }}
+      cancel-in-progress: true
    runs-on: arm64-k8s
    env:
      DOCKER_REGISTRY: ${{ inputs.registry }}
--- a/.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml
+++ b/.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml
@@ -40,6 +40,9 @@ jobs:
          { name: nvidia-gpu,     vmm: qemu-nvidia-gpu,     runner: amd64-nvidia-a100 },
          { name: nvidia-gpu-snp, vmm: qemu-nvidia-gpu-snp, runner: amd64-nvidia-h100-snp },
        ]
+    concurrency:
+      group:  ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.environment.vmm }}
+      cancel-in-progress: true
    runs-on: ${{ matrix.environment.runner }}
    env:
      DOCKER_REGISTRY: ${{ inputs.registry }}
--- a/.github/workflows/run-k8s-tests-on-ppc64le.yaml
+++ b/.github/workflows/run-k8s-tests-on-ppc64le.yaml
@@ -34,6 +34,9 @@ jobs:
          - qemu
        k8s:
          - kubeadm
+    concurrency:
+      group:  ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.vmm }}
+      cancel-in-progress: true
    runs-on: ppc64le-k8s
    env:
      DOCKER_REGISTRY: ${{ inputs.registry }}
--- a/.github/workflows/run-k8s-tests-on-zvsi.yaml
+++ b/.github/workflows/run-k8s-tests-on-zvsi.yaml
@@ -63,6 +63,9 @@ jobs:
            vmm: qemu
          - snapshotter: nydus
            vmm: qemu-runtime-rs
+    concurrency:
+      group:  ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.vmm}}-${{ matrix.snapshotter}}
+      cancel-in-progress: true
    runs-on: s390x-large
    env:
      DOCKER_REGISTRY: ${{ inputs.registry }}
--- a/.github/workflows/run-kata-coco-stability-tests.yaml
+++ b/.github/workflows/run-kata-coco-stability-tests.yaml
@@ -51,6 +51,9 @@ jobs:
          - nydus
        pull-type:
          - guest-pull
+    concurrency:
+      group:  ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.vmm}}-${{ matrix.snapshotter}}
+      cancel-in-progress: true
    runs-on: ubuntu-22.04
    permissions:

--- a/.github/workflows/run-kata-coco-tests.yaml
+++ b/.github/workflows/run-kata-coco-tests.yaml
@@ -49,6 +49,9 @@ jobs:
            vmm: qemu-tdx
          - runner: sev-snp
            vmm: qemu-snp
+    concurrency:
+      group:  ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.vmm }}
+      cancel-in-progress: true
    runs-on: ${{ matrix.runner }}
    env:
      DOCKER_REGISTRY: ${{ inputs.registry }}
@@ -151,6 +154,9 @@ jobs:
          - pull-type: experimental-force-guest-pull
            vmm: qemu-coco-dev
            snapshotter: ""
+    concurrency:
+      group:  ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.vmm }}-${{ matrix.snapshotter }}
+      cancel-in-progress: true
    runs-on: ubuntu-22.04
    permissions:
      id-token: write # Used for OIDC access to log into Azure
@@ -277,6 +283,9 @@ jobs:
          - erofs
        pull-type:
          - default
+    concurrency:
+      group:  ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-erofs
+      cancel-in-progress: true
    runs-on: ubuntu-24.04
    environment: ci
    env:
--- a/.github/workflows/run-kata-deploy-tests-on-aks.yaml
+++ b/.github/workflows/run-kata-deploy-tests-on-aks.yaml
@@ -47,6 +47,9 @@ jobs:
        include:
          - host_os: cbl-mariner
            vmm: clh
+    concurrency:
+      group:  ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.vmm }}-${{ matrix.host_os }}
+      cancel-in-progress: true
    runs-on: ubuntu-22.04
    environment: ci
    permissions:
--- a/.github/workflows/run-kata-deploy-tests.yaml
+++ b/.github/workflows/run-kata-deploy-tests.yaml
@@ -37,6 +37,9 @@ jobs:
          - k3s
          - rke2
          - microk8s
+    concurrency:
+      group:  ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.vmm }}-${{ matrix.k8s }}
+      cancel-in-progress: true
    runs-on: ubuntu-22.04
    env:
      DOCKER_REGISTRY: ${{ inputs.registry }}
--- a/.github/workflows/run-kata-monitor-tests.yaml
+++ b/.github/workflows/run-kata-monitor-tests.yaml
@@ -34,6 +34,9 @@ jobs:
          # TODO: enable with containerd when https://github.com/kata-containers/kata-containers/issues/9761 is fixed
          - container_engine: containerd
            vmm: qemu
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.container_engine}}-${{ matrix.vmm }}
+      cancel-in-progress: true
    runs-on: ubuntu-22.04
    env:
      CONTAINER_ENGINE: ${{ matrix.container_engine }}
--- a/.github/workflows/run-metrics.yaml
+++ b/.github/workflows/run-metrics.yaml
@@ -22,6 +22,10 @@ on:
        type: string
        default: ""

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 permissions: {}

 jobs:
--- a/.github/workflows/scorecard.yaml
+++ b/.github/workflows/scorecard.yaml
@@ -11,6 +11,10 @@ on:
    branches: [ "main" ]
  workflow_dispatch:

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 permissions: {}

 jobs:
@@ -55,6 +59,6 @@ jobs:
      # Upload the results to GitHub's code scanning dashboard (optional).
      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.10
        with:
          sarif_file: results.sarif
--- a/.github/workflows/zizmor.yaml
+++ b/.github/workflows/zizmor.yaml
@@ -26,4 +26,4 @@ jobs:
          advanced-security: false
          annotations: true
          persona: auditor
-          version: v1.13.0
+          version: v1.20.0
--- a/src/runtime/pkg/govmm/.github/workflows/main.yml
+++ b/src/runtime/pkg/govmm/.github/workflows/main.yml
@@ -1,6 +1,10 @@
 on: ["pull_request"]
 name: Unit tests

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 permissions:
  contents: read

@@ -14,11 +18,11 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
        with:
          go-version: ${{ matrix.go-version }}
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false
      - name: golangci-lint
Author	SHA1	Message	Date
stevenhorsman	99974d18c5	static-build-concurrencies	2026-02-04 16:53:24 +00:00
stevenhorsman	6c618744cc	!fixup: Next batch of concurrency limits	2026-02-04 16:53:24 +00:00
stevenhorsman	a3a01eb956	WIP: workflows: Add concurrency limits It is good practice to add concurrency limits to automatically cancel jobs that have been superceded and potentially stop race conditions if we try and get artifacts by workflows and job id rather than run id. See https://docs.zizmor.sh/audits/#concurrency-limits Signed-off-by: stevenhorsman <steven@uk.ibm.com>	2026-02-04 15:37:18 +00:00
stevenhorsman	c3e10dc961	workflows: Bump zizmor to latest Bump zizmor to the latest version to pick up new rule updates. Signed-off-by: stevenhorsman <steven@uk.ibm.com>	2026-02-04 15:37:18 +00:00
stevenhorsman	a4036ef58d	workflows: Pin all actions Previously zizmor only mandated pinning of third-party actions, but has recommended rolling this out to all actions now. Signed-off-by: stevenhorsman <steven@uk.ibm.com>	2026-02-04 15:37:18 +00:00
stevenhorsman	e8cf5e8137	workflows: Remove unneeded strategy In a refactor we've remove the `matrix` section of this strategy, so the whole section isn't needed any more, so clean this up. Signed-off-by: stevenhorsman <steven@uk.ibm.com>	2026-02-04 15:37:18 +00:00
stevenhorsman	b89a8b6c2c	dependabot: Add cooldown It's good practice to get dependabot to wait after a release before bumping to avoid it bumping to a release done seconds before, which could have supply-chain security implications, so add a 7 day cooldown to help with this. See https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns Signed-off-by: stevenhorsman <steven@uk.ibm.com>	2026-02-04 15:37:18 +00:00