workflow: Fix commented version

Expand the commented version to show the minor and fix so that zizmor and dependabot can work with them better
workflows: Add timeouts
2026-03-17 10:12:24 +00:00 · 2026-03-09 16:30:14 +00:00 · 2026-03-09 16:30:14 +00:00 · 2026-03-09 16:30:14 +00:00 · 2026-03-09 16:30:14 +00:00 · 2026-03-09 16:30:14 +00:00
46 changed files with 257 additions and 24 deletions
--- a/.github/workflows/basic-ci-amd64.yaml
+++ b/.github/workflows/basic-ci-amd64.yaml
@@ -15,6 +15,10 @@ on:

 permissions: {}

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-basic-amd64
+  cancel-in-progress: true
+
 jobs:
  run-containerd-sandboxapi:
    name: run-containerd-sandboxapi
@@ -26,6 +30,9 @@ jobs:
      matrix:
        containerd_version: ['active']
        vmm: ['dragonball', 'cloud-hypervisor', 'qemu-runtime-rs']
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-amd64-${{ matrix.vmm}}-${{ matrix.containerd_version}}
+      cancel-in-progress: true
    # TODO: enable me when https://github.com/containerd/containerd/issues/11640 is fixed
    if: false
    runs-on: ubuntu-22.04
@@ -89,6 +96,9 @@ jobs:
      matrix:
        containerd_version: ['lts', 'active']
        vmm: ['clh', 'cloud-hypervisor', 'dragonball', 'qemu', 'qemu-runtime-rs']
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-amd64-${{ matrix.vmm}}-${{ matrix.containerd_version}}
+      cancel-in-progress: true
    runs-on: ubuntu-22.04
    env:
      CONTAINERD_VERSION: ${{ matrix.containerd_version }}
@@ -135,6 +145,9 @@ jobs:
      matrix:
        containerd_version: ['lts', 'active']
        vmm: ['clh', 'qemu', 'dragonball', 'qemu-runtime-rs']
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-amd64-${{ matrix.vmm}}-${{ matrix.containerd_version}}
+      cancel-in-progress: true
    runs-on: ubuntu-22.04
    env:
      CONTAINERD_VERSION: ${{ matrix.containerd_version }}
@@ -188,6 +201,9 @@ jobs:
        vmm:
          - clh # cloud-hypervisor
          - qemu
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-amd64-${{ matrix.vmm}}
+      cancel-in-progress: true
    # TODO: enable me when https://github.com/kata-containers/kata-containers/issues/9763 is fixed
    # TODO: Transition to free runner (see #9940).
    if: false
@@ -233,6 +249,9 @@ jobs:
        vmm:
          - clh
          - qemu
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-amd64-${{ matrix.vmm}}
+      cancel-in-progress: true
    # TODO: enable with clh when https://github.com/kata-containers/kata-containers/issues/9764 is fixed
    # TODO: enable with qemu when https://github.com/kata-containers/kata-containers/issues/9851 is fixed
    # TODO: Transition to free runner (see #9940).
@@ -283,6 +302,9 @@ jobs:
          - qemu
          - cloud-hypervisor
          - qemu-runtime-rs
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-amd64-${{ matrix.vmm}}
+      cancel-in-progress: true
    runs-on: ubuntu-22.04
    env:
      KATA_HYPERVISOR: ${{ matrix.vmm }}
@@ -333,6 +355,7 @@ jobs:
  run-kata-agent-apis:
    name: run-kata-agent-apis
    runs-on: ubuntu-22.04
+    timeout-minutes: 20
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
--- a/.github/workflows/basic-ci-s390x.yaml
+++ b/.github/workflows/basic-ci-s390x.yaml
@@ -26,6 +26,9 @@ jobs:
      matrix:
        containerd_version: ['active']
        vmm: ['qemu-runtime-rs']
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-s390x-${{ matrix.vmm}}-${{ matrix.containerd_version}}
+      cancel-in-progress: true
    # TODO: enable me when https://github.com/containerd/containerd/issues/11640 is fixed
    if: false
    runs-on: s390x-large
@@ -89,6 +92,9 @@ jobs:
      matrix:
        containerd_version: ['lts', 'active']
        vmm: ['qemu']
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-s390x-${{ matrix.vmm}}-${{ matrix.containerd_version}}
+      cancel-in-progress: true
    runs-on: s390x-large
    env:
      CONTAINERD_VERSION: ${{ matrix.containerd_version }}
--- a/.github/workflows/build-checks-preview-riscv64.yaml
+++ b/.github/workflows/build-checks-preview-riscv64.yaml
@@ -63,7 +63,9 @@ jobs:
            path: src/runtime-rs
            needs:
              - rust
-
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${inputs.instance}-${{ matrix.component.name }}-${{ matrix.command }}
+      cancel-in-progress: true
    steps:
      - name: Adjust a permission for repo
        run: |
--- a/.github/workflows/build-checks.yaml
+++ b/.github/workflows/build-checks.yaml
@@ -7,11 +7,11 @@ on:

 permissions: {}

-
 name: Build checks
 jobs:
  check:
    name: check
+    timeout-minutes: 60
    runs-on: >-
      ${{
        ( contains(inputs.instance, 's390x') && matrix.component.name == 'runtime' ) && 's390x' ||
@@ -75,7 +75,9 @@ jobs:
              - protobuf-compiler
        instance:
          - ${{ inputs.instance }}
-
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${inputs.instance}-${{ matrix.component.name }}-${{ matrix.command }}
+      cancel-in-progress: true
    steps:
      - name: Adjust a permission for repo
        run: |
--- a/.github/workflows/build-kata-static-tarball-amd64.yaml
+++ b/.github/workflows/build-kata-static-tarball-amd64.yaml
@@ -28,6 +28,10 @@ on:

 permissions: {}

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-tarball-amd64
+  cancel-in-progress: true
+
 jobs:
  build-asset:
    name: build-asset
@@ -63,6 +67,9 @@ jobs:
        exclude:
          - asset: cloud-hypervisor-glibc
            stage: release
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-amd64-${{ matrix.asset }}-${{ matrix.asset }}-${{ matrix.stage }}
+      cancel-in-progress: true
    env:
      PERFORM_ATTESTATION: ${{ matrix.asset == 'agent' && inputs.push-to-registry == 'yes' && 'yes' || 'no' }}
    steps:
@@ -170,6 +177,9 @@ jobs:
          - rootfs-initrd-confidential
          - rootfs-initrd-nvidia-gpu
          - rootfs-initrd-nvidia-gpu-confidential
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-amd64-${{ matrix.asset }}
+      cancel-in-progress: true
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
@@ -237,6 +247,9 @@ jobs:
          - coco-guest-components
          - kernel-nvidia-gpu-modules
          - pause-image
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-amd64-${{ matrix.asset }}
+      cancel-in-progress: true
    steps:
      - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
        with:
@@ -251,6 +264,9 @@ jobs:
      matrix:
        asset:
          - agent
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.asset }}
+      cancel-in-progress: true
    steps:
      - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
        if: ${{ inputs.stage == 'release' }}
@@ -322,6 +338,7 @@ jobs:
  create-kata-tarball:
    name: create-kata-tarball
    runs-on: ubuntu-22.04
+    timeout-minutes: 10
    needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
    permissions:
      contents: read
@@ -374,6 +391,9 @@ jobs:
          - trace-forwarder
        stage:
          - ${{ inputs.stage }}
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-amd64-${{ matrix.asset }}
+      cancel-in-progress: true
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
--- a/.github/workflows/build-kata-static-tarball-arm64.yaml
+++ b/.github/workflows/build-kata-static-tarball-arm64.yaml
@@ -28,6 +28,10 @@ on:

 permissions: {}

+concurrency:
+  group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-arm64
+  cancel-in-progress: true
+
 jobs:
  build-asset:
    name: build-asset
@@ -52,6 +56,9 @@ jobs:
          - ovmf
          - qemu
          - virtiofsd
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-arm64-${{ matrix.asset }}
+      cancel-in-progress: true
    env:
      PERFORM_ATTESTATION: ${{ matrix.asset == 'agent' && inputs.push-to-registry == 'yes' && 'yes' || 'no' }}
    steps:
@@ -153,6 +160,9 @@ jobs:
          - rootfs-image-nvidia-gpu
          - rootfs-initrd
          - rootfs-initrd-nvidia-gpu
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-arm-${{ matrix.asset }}
+      cancel-in-progress: true
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
@@ -217,6 +227,9 @@ jobs:
        asset:
          - busybox
          - kernel-nvidia-gpu-modules
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-arm-${{ matrix.asset }}
+      cancel-in-progress: true
    steps:
      - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
        with:
@@ -300,6 +313,7 @@ jobs:
  create-kata-tarball:
    name: create-kata-tarball
    runs-on: ubuntu-24.04-arm
+    timeout-minutes: 10
    needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
    permissions:
      contents: read
--- a/.github/workflows/build-kata-static-tarball-ppc64le.yaml
+++ b/.github/workflows/build-kata-static-tarball-ppc64le.yaml
@@ -26,6 +26,10 @@ on:

 permissions: {}

+concurrency:
+  group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-ppc64le
+  cancel-in-progress: true
+
 jobs:
  build-asset:
    name: build-asset
@@ -42,6 +46,9 @@ jobs:
          - virtiofsd
        stage:
          - ${{ inputs.stage }}
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-ppc64le-${{ matrix.asset }}-${{ matrix.asset }}-${{ matrix.stage }}
+      cancel-in-progress: true
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
@@ -100,6 +107,9 @@ jobs:
          - rootfs-initrd
        stage:
          - ${{ inputs.stage }}
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-ppc64le-${{ matrix.asset }}
+      cancel-in-progress: true
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
@@ -166,7 +176,7 @@ jobs:
      - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
        if: ${{ inputs.stage == 'release' }}
        with:
-          name: kata-artifacts-ppc64le-${{ matrix.asset}}${{ inputs.tarball-suffix }}
+          name: kata-artifacts-ppc64le-${{ matrix.asset}}${{ inputs.tarball-suffix }}-ppc64le-${{ matrix.asset }}

  build-asset-shim-v2:
    name: build-asset-shim-v2
@@ -231,6 +241,7 @@ jobs:
  create-kata-tarball:
    name: create-kata-tarball
    runs-on: ubuntu-24.04-ppc64le
+    timeout-minutes: 10
    needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
    permissions:
      contents: read
--- a/.github/workflows/build-kata-static-tarball-riscv64.yaml
+++ b/.github/workflows/build-kata-static-tarball-riscv64.yaml
@@ -37,6 +37,9 @@ jobs:
        asset:
          - kernel
          - virtiofsd
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-riscv-${{ matrix.asset }}
+      cancel-in-progress: true
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
--- a/.github/workflows/build-kata-static-tarball-s390x.yaml
+++ b/.github/workflows/build-kata-static-tarball-s390x.yaml
@@ -29,6 +29,10 @@ on:

 permissions: {}

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-tarball-s390x
+  cancel-in-progress: true
+
 jobs:
  build-asset:
    name: build-asset
@@ -47,6 +51,9 @@ jobs:
          - pause-image
          - qemu
          - virtiofsd
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-s390x-${{ matrix.asset }}
+      cancel-in-progress: true
    env:
      PERFORM_ATTESTATION: ${{ matrix.asset == 'agent' && inputs.push-to-registry == 'yes' && 'yes' || 'no' }}
    steps:
@@ -134,6 +141,9 @@ jobs:
          - rootfs-image-confidential
          - rootfs-initrd
          - rootfs-initrd-confidential
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-s390x-${{ matrix.asset }}
+      cancel-in-progress: true
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
@@ -248,6 +258,9 @@ jobs:
          - agent
          - coco-guest-components
          - pause-image
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-s390x-${{ matrix.asset }}
+      cancel-in-progress: true
    steps:
      - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
        if: ${{ inputs.stage == 'release' }}
@@ -319,6 +332,7 @@ jobs:
  create-kata-tarball:
    name: create-kata-tarball
    runs-on: ubuntu-24.04-s390x
+    timeout-minutes: 10
    needs:
      - build-asset
      - build-asset-rootfs
--- a/.github/workflows/build-kubectl-image.yaml
+++ b/.github/workflows/build-kubectl-image.yaml
@@ -15,6 +15,10 @@ on:

 permissions: {}

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-kubectl-image
+  cancel-in-progress: true
+
 env:
  REGISTRY: quay.io
  IMAGE_NAME: kata-containers/kubectl
--- a/.github/workflows/cargo-deny-runner.yaml
+++ b/.github/workflows/cargo-deny-runner.yaml
@@ -8,7 +8,7 @@ on:
      - synchronize

 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-cargo-deny
  cancel-in-progress: true

 permissions: {}
--- a/.github/workflows/ci-coco-stability.yaml
+++ b/.github/workflows/ci-coco-stability.yaml
@@ -6,7 +6,7 @@ on:
  workflow_dispatch:

 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-coco-stability
  cancel-in-progress: true

 permissions: {}
--- a/.github/workflows/ci-nightly-s390x.yaml
+++ b/.github/workflows/ci-nightly-s390x.yaml
@@ -6,6 +6,10 @@ name: Nightly CI for s390x

 permissions: {}

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-nightly-s390x
+  cancel-in-progress: true
+
 jobs:
  check-internal-test-result:
    name: check-internal-test-result
--- a/.github/workflows/ci-nightly.yaml
+++ b/.github/workflows/ci-nightly.yaml
@@ -4,7 +4,7 @@ on:
    - cron: '0 0 * * *'

 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-nightly
  cancel-in-progress: true

 permissions: {}
--- a/.github/workflows/ci-on-push.yaml
+++ b/.github/workflows/ci-on-push.yaml
@@ -16,7 +16,7 @@ on:
 permissions: {}

 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-on-push
  cancel-in-progress: true

 jobs:
--- a/.github/workflows/ci-weekly.yaml
+++ b/.github/workflows/ci-weekly.yaml
@@ -22,7 +22,7 @@ on:
      AZ_APPID:
        required: true
      AZ_TENANT_ID:
-       required: true
+        required: true
      AZ_SUBSCRIPTION_ID:
        required: true
      QUAY_DEPLOYER_PASSWORD:
@@ -32,6 +32,10 @@ on:

 permissions: {}

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-weekly
+  cancel-in-progress: true
+
 jobs:
  build-kata-static-tarball-amd64:
    permissions:
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -30,7 +30,7 @@ on:
      AZ_APPID:
        required: true
      AZ_TENANT_ID:
-       required: true
+        required: true
      AZ_SUBSCRIPTION_ID:
        required: true
      CI_HKD_PATH:
@@ -46,6 +46,10 @@ on:

 permissions: {}

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-ci
+  cancel-in-progress: true
+
 jobs:
  build-kata-static-tarball-amd64:
    permissions:
@@ -443,7 +447,10 @@ jobs:
          { containerd_version: active, vmm: qemu             },
          { containerd_version: active, vmm: cloud-hypervisor },
          { containerd_version: active, vmm: qemu-runtime-rs  },
-         ]
+        ]
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.params.vmm }}-${{ matrix.params.containerd_version}}
+      cancel-in-progress: true
    uses: ./.github/workflows/run-cri-containerd-tests.yaml
    with:
      tarball-suffix: -${{ inputs.tag }}
@@ -461,9 +468,12 @@ jobs:
      fail-fast: false
      matrix:
        params: [
-          { containerd_version: active, vmm: qemu            },
-          { containerd_version: active, vmm: qemu-runtime-rs },
-         ]
+          {containerd_version: active, vmm: qemu},
+          {containerd_version: active, vmm: qemu-runtime-rs},
+        ]
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.params.vmm}}-${{ matrix.params.containerd_version}}
+      cancel-in-progress: true
    uses: ./.github/workflows/run-cri-containerd-tests.yaml
    with:
      tarball-suffix: -${{ inputs.tag }}
@@ -481,8 +491,11 @@ jobs:
      fail-fast: false
      matrix:
        params: [
-          { containerd_version: active, vmm: qemu },
-         ]
+          {containerd_version: active, vmm: qemu},
+        ]
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-cri-tests-${{ matrix.params.vmm}}-${{ matrix.params.containerd_version}}
+      cancel-in-progress: true
    uses: ./.github/workflows/run-cri-containerd-tests.yaml
    with:
      tarball-suffix: -${{ inputs.tag }}
@@ -500,8 +513,11 @@ jobs:
      fail-fast: false
      matrix:
        params: [
-          { containerd_version: active, vmm: qemu },
-         ]
+          {containerd_version: active, vmm: qemu},
+        ]
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.params.vmm}}-${{ matrix.params.containerd_version}}
+      cancel-in-progress: true
    uses: ./.github/workflows/run-cri-containerd-tests.yaml
    with:
      tarball-suffix: -${{ inputs.tag }}
--- a/.github/workflows/cleanup-resources.yaml
+++ b/.github/workflows/cleanup-resources.yaml
@@ -4,6 +4,10 @@ on:
    - cron: "0 0 * * *"
  workflow_dispatch:

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 permissions: {}

 jobs:
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -19,6 +19,10 @@ on:
  schedule:
    - cron: '45 0 * * 1'

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 permissions: {}


--- a/.github/workflows/docs-url-alive-check.yaml
+++ b/.github/workflows/docs-url-alive-check.yaml
@@ -3,6 +3,10 @@ on:
    - cron:  '0 23 * * 0'
  workflow_dispatch:

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 permissions: {}

 name: Docs URL Alive Check
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -3,6 +3,11 @@ on:
  push:
    branches:
      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 permissions: {}
 jobs:
  deploy-docs:
--- a/.github/workflows/gatekeeper-skipper.yaml
+++ b/.github/workflows/gatekeeper-skipper.yaml
@@ -31,6 +31,10 @@ on:
      skip_static:
        value: ${{ jobs.skipper.outputs.skip_static }}

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-gatekeeper-skipper
+  cancel-in-progress: true
+
 permissions: {}

 jobs:
--- a/.github/workflows/govulncheck.yaml
+++ b/.github/workflows/govulncheck.yaml
@@ -3,6 +3,10 @@ on:

 name: Govulncheck

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 permissions: {}

 jobs:
@@ -22,7 +26,7 @@ jobs:

    steps:
      - name: Checkout the code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
        with:
          fetch-depth: 0
          persist-credentials: false
--- a/.github/workflows/publish-kata-deploy-payload.yaml
+++ b/.github/workflows/publish-kata-deploy-payload.yaml
@@ -34,6 +34,10 @@ on:
      QUAY_DEPLOYER_PASSWORD:
        required: true

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ inputs.arch }}-publish-deploy
+  cancel-in-progress: true
+
 permissions: {}

 jobs:
--- a/.github/workflows/push-oras-tarball-cache.yaml
+++ b/.github/workflows/push-oras-tarball-cache.yaml
@@ -12,6 +12,10 @@ on:

 permissions: {}

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
  push-oras-cache:
    name: push-oras-cache
--- a/.github/workflows/release-amd64.yaml
+++ b/.github/workflows/release-amd64.yaml
@@ -11,6 +11,10 @@ on:
      KBUILD_SIGN_PIN:
        required: true

+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false # Note - don't cancel the in progress build as we could end up with inconsistent results
+
 permissions: {}

 jobs:
--- a/.github/workflows/release-arm64.yaml
+++ b/.github/workflows/release-arm64.yaml
@@ -11,6 +11,10 @@ on:
      KBUILD_SIGN_PIN:
        required: true

+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false # Note - don't cancel the in progress build as we could end up with inconsistent results
+
 permissions: {}

 jobs:
--- a/.github/workflows/release-ppc64le.yaml
+++ b/.github/workflows/release-ppc64le.yaml
@@ -9,6 +9,10 @@ on:
      QUAY_DEPLOYER_PASSWORD:
        required: true

+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false # Note - don't cancel the in progress build as we could end up with inconsistent results
+
 permissions: {}

 jobs:
--- a/.github/workflows/release-s390x.yaml
+++ b/.github/workflows/release-s390x.yaml
@@ -10,6 +10,9 @@ on:
        required: true
      QUAY_DEPLOYER_PASSWORD:
        required: true
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false # Note - don't cancel the in progress build as we could end up with inconsistent results

 permissions: {}

--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -2,6 +2,10 @@ name: Release Kata Containers
 on:
  workflow_dispatch

+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false # Note - don't cancel the in progress build as we could end up with inconsistent results
+
 permissions: {}

 jobs:
--- a/.github/workflows/run-cri-containerd-tests.yaml
+++ b/.github/workflows/run-cri-containerd-tests.yaml
@@ -1,7 +1,5 @@
 name: CI | Run cri-containerd tests

-permissions: {}
-
 on:
  workflow_call:
    inputs:
@@ -32,6 +30,13 @@ on:
        required: true
        type: string

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-cri-tests
+  cancel-in-progress: true
+
+permissions: {}
+
+
 jobs:
  run-cri-containerd:
    name: run-cri-containerd-${{ inputs.arch }} (${{ inputs.containerd_version }}, ${{ inputs.vmm }})
--- a/.github/workflows/run-k8s-tests-on-aks.yaml
+++ b/.github/workflows/run-k8s-tests-on-aks.yaml
@@ -54,6 +54,9 @@ jobs:
          - host_os: cbl-mariner
            vmm: clh
            instance-type: normal
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.vmm }}-${{ matrix.host_os }}-${{ matrix.instance-type }}
+      cancel-in-progress: true
    runs-on: ubuntu-22.04
    permissions:
      contents: read
--- a/.github/workflows/run-k8s-tests-on-arm64.yaml
+++ b/.github/workflows/run-k8s-tests-on-arm64.yaml
@@ -35,6 +35,9 @@ jobs:
          - qemu-runtime-rs
        k8s:
          - kubeadm
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.vmm }}
+      cancel-in-progress: true
    runs-on: arm64-k8s
    env:
      DOCKER_REGISTRY: ${{ inputs.registry }}
--- a/.github/workflows/run-k8s-tests-on-free-runner.yaml
+++ b/.github/workflows/run-k8s-tests-on-free-runner.yaml
@@ -47,6 +47,9 @@ jobs:
          { vmm: cloud-hypervisor, containerd_version: lts },
          { vmm: cloud-hypervisor, containerd_version: active },
        ]
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${matrix.environment.vmm}-${matrix.environment.containerd_version}
+      cancel-in-progress: true
    runs-on: ubuntu-24.04
    permissions:
      contents: read
@@ -124,4 +127,3 @@ jobs:
        if: always()
        timeout-minutes: 15
        run: bash tests/integration/kubernetes/gha-run.sh cleanup
-
--- a/.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml
+++ b/.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml
@@ -40,6 +40,9 @@ jobs:
          { name: nvidia-gpu,     vmm: qemu-nvidia-gpu,     runner: amd64-nvidia-a100 },
          { name: nvidia-gpu-snp, vmm: qemu-nvidia-gpu-snp, runner: amd64-nvidia-h100-snp },
        ]
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.environment.vmm }}
+      cancel-in-progress: true
    runs-on: ${{ matrix.environment.runner }}
    env:
      DOCKER_REGISTRY: ${{ inputs.registry }}
--- a/.github/workflows/run-k8s-tests-on-ppc64le.yaml
+++ b/.github/workflows/run-k8s-tests-on-ppc64le.yaml
@@ -34,6 +34,9 @@ jobs:
          - qemu
        k8s:
          - kubeadm
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.vmm }}
+      cancel-in-progress: true
    runs-on: ppc64le-k8s
    env:
      DOCKER_REGISTRY: ${{ inputs.registry }}
--- a/.github/workflows/run-k8s-tests-on-zvsi.yaml
+++ b/.github/workflows/run-k8s-tests-on-zvsi.yaml
@@ -63,6 +63,9 @@ jobs:
            vmm: qemu
          - snapshotter: nydus
            vmm: qemu-runtime-rs
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.vmm}}-${{ matrix.snapshotter}}
+      cancel-in-progress: true
    runs-on: s390x-large
    env:
      DOCKER_REGISTRY: ${{ inputs.registry }}
--- a/.github/workflows/run-kata-coco-stability-tests.yaml
+++ b/.github/workflows/run-kata-coco-stability-tests.yaml
@@ -51,6 +51,9 @@ jobs:
          - nydus
        pull-type:
          - guest-pull
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.vmm}}-${{ matrix.snapshotter}}
+      cancel-in-progress: true
    runs-on: ubuntu-22.04
    permissions:

--- a/.github/workflows/run-kata-coco-tests.yaml
+++ b/.github/workflows/run-kata-coco-tests.yaml
@@ -34,7 +34,7 @@ on:
      AZ_APPID:
        required: true
      AZ_TENANT_ID:
-       required: true
+        required: true
      AZ_SUBSCRIPTION_ID:
        required: true
      ITA_KEY:
@@ -53,6 +53,9 @@ jobs:
            vmm: qemu-tdx
          - runner: sev-snp
            vmm: qemu-snp
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.vmm }}
+      cancel-in-progress: true
    runs-on: ${{ matrix.runner }}
    env:
      DOCKER_REGISTRY: ${{ inputs.registry }}
@@ -149,6 +152,9 @@ jobs:
          { vmm: qemu-coco-dev-runtime-rs, snapshotter: nydus, pull_type: guest-pull },
          { vmm: qemu-coco-dev, snapshotter: "", pull_type: experimental-force-guest-pull },
        ]
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.environment.vmm }}-${{ matrix.environment.snapshotter }}
+      cancel-in-progress: true
    runs-on: ubuntu-24.04
    permissions:
      contents: read
@@ -283,6 +289,9 @@ jobs:
          { k8s: microk8s, vmm: qemu-coco-dev, snapshotter: "", pull_type: experimental-force-guest-pull },
          { k8s: microk8s, vmm: qemu-coco-dev-runtime-rs, snapshotter: nydus, pull_type: guest-pull },
        ]
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.environment.vmm }}-${{ matrix.environment.snapshotter }}
+      cancel-in-progress: true
    runs-on: ubuntu-24.04
    permissions:
      contents: read
@@ -404,6 +413,9 @@ jobs:
          - erofs
        pull-type:
          - default
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}
+      cancel-in-progress: true
    runs-on: ubuntu-24.04
    environment: ci
    env:
--- a/.github/workflows/run-kata-deploy-tests-on-aks.yaml
+++ b/.github/workflows/run-kata-deploy-tests-on-aks.yaml
@@ -47,6 +47,9 @@ jobs:
        include:
          - host_os: cbl-mariner
            vmm: clh
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.vmm }}-${{ matrix.host_os }}
+      cancel-in-progress: true
    runs-on: ubuntu-22.04
    environment: ci
    permissions:
--- a/.github/workflows/run-kata-deploy-tests.yaml
+++ b/.github/workflows/run-kata-deploy-tests.yaml
@@ -37,6 +37,9 @@ jobs:
          - k3s
          - rke2
          - microk8s
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.vmm }}-${{ matrix.k8s }}
+      cancel-in-progress: true
    runs-on: ubuntu-22.04
    env:
      DOCKER_REGISTRY: ${{ inputs.registry }}
--- a/.github/workflows/run-kata-monitor-tests.yaml
+++ b/.github/workflows/run-kata-monitor-tests.yaml
@@ -34,6 +34,9 @@ jobs:
          # TODO: enable with containerd when https://github.com/kata-containers/kata-containers/issues/9761 is fixed
          - container_engine: containerd
            vmm: qemu
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ matrix.container_engine}}-${{ matrix.vmm }}
+      cancel-in-progress: true
    runs-on: ubuntu-22.04
    env:
      CONTAINER_ENGINE: ${{ matrix.container_engine }}
--- a/.github/workflows/run-metrics.yaml
+++ b/.github/workflows/run-metrics.yaml
@@ -22,6 +22,10 @@ on:
        type: string
        default: ""

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-metrics
+  cancel-in-progress: true
+
 permissions: {}

 jobs:
--- a/.github/workflows/scorecard.yaml
+++ b/.github/workflows/scorecard.yaml
@@ -11,6 +11,10 @@ on:
    branches: [ "main" ]
  workflow_dispatch:

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 permissions: {}

 jobs:
--- a/.github/workflows/zizmor.yaml
+++ b/.github/workflows/zizmor.yaml
@@ -26,4 +26,4 @@ jobs:
          advanced-security: false
          annotations: true
          persona: auditor
-          version: v1.13.0
+          version: v1.22.0
--- a/src/runtime/pkg/govmm/.github/workflows/main.yml
+++ b/src/runtime/pkg/govmm/.github/workflows/main.yml
@@ -1,6 +1,10 @@
 on: ["pull_request"]
 name: Unit tests

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 permissions:
  contents: read
Author	SHA1	Message	Date
stevenhorsman	02b258f79d	workflow: Fix commented version Expand the commented version to show the minor and fix so that zizmor and dependabot can work with them better	2026-03-09 16:30:14 +00:00
stevenhorsman	36d47f415c	workflows: Add timeouts Recently I've seen a couple of occasions where jobs have seemed to run infinitely. Add timeouts for these jobs to stop this from happening if things get into a bad state. Signed-off-by: stevenhorsman <steven@uk.ibm.com>	2026-03-09 16:30:14 +00:00
stevenhorsman	25f777abb5	workflows: Bump zizmor to latest Bump zizmor to the latest version to pick up new rule updates. Signed-off-by: stevenhorsman <steven@uk.ibm.com>	2026-03-09 16:30:14 +00:00
stevenhorsman	eea92c167c	workflow: Add group-suffix where needed When reusable workflows are called, the workflow seems to be transferred from the caller, so we need to differentiate by adding a suffix unique to these workflows Signed-off-by: stevenhorsman <steven@uk.ibm.com>	2026-03-09 16:30:14 +00:00
stevenhorsman	c5fd998eaf	!fixup: Add job scope to concurrency group	2026-03-09 16:30:14 +00:00
stevenhorsman	2f9af24c8d	WIP: other concurrnecy limtis	2026-03-09 16:30:14 +00:00
stevenhorsman	f3e0e42292	static-build-concurrencies	2026-03-09 16:30:14 +00:00
stevenhorsman	f3e706235c	!fixup: Next batch of concurrency limits	2026-03-09 16:30:14 +00:00
stevenhorsman	fc1de998bc	WIP: workflows: Add concurrency limits It is good practice to add concurrency limits to automatically cancel jobs that have been superceded and potentially stop race conditions if we try and get artifacts by workflows and job id rather than run id. See https://docs.zizmor.sh/audits/#concurrency-limits Signed-off-by: stevenhorsman <steven@uk.ibm.com>	2026-03-09 16:30:13 +00:00