workflows: Bump zizmor to latest

Bump zizmor to the latest version to pick up new rule updates.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>

.github/workflows/basic-ci-amd64.yaml

@@ -15,6 +15,10 @@ on:
 
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-basic-amd64
+  cancel-in-progress: true
+
 jobs:
   run-containerd-sandboxapi:
     name: run-containerd-sandboxapi
@@ -26,6 +30,9 @@ jobs:
       matrix:
         containerd_version: ['active']
         vmm: ['dragonball', 'cloud-hypervisor', 'qemu-runtime-rs']
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-sandboxapi-amd64-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     # TODO: enable me when https://github.com/containerd/containerd/issues/11640 is fixed
     if: false
     runs-on: ubuntu-22.04
@@ -89,6 +96,9 @@ jobs:
       matrix:
         containerd_version: ['lts', 'active']
         vmm: ['clh', 'cloud-hypervisor', 'dragonball', 'qemu', 'qemu-runtime-rs']
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-run-containerd-stability-amd64-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     runs-on: ubuntu-22.04
     env:
       CONTAINERD_VERSION: ${{ matrix.containerd_version }}
@@ -135,6 +145,9 @@ jobs:
       matrix:
         containerd_version: ['lts', 'active']
         vmm: ['clh', 'qemu', 'dragonball', 'qemu-runtime-rs']
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-run-nydus-amd64-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     runs-on: ubuntu-22.04
     env:
       CONTAINERD_VERSION: ${{ matrix.containerd_version }}
@@ -188,6 +201,9 @@ jobs:
         vmm:
           - clh # cloud-hypervisor
           - qemu
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-tracing-amd64-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     # TODO: enable me when https://github.com/kata-containers/kata-containers/issues/9763 is fixed
     # TODO: Transition to free runner (see #9940).
     if: false
@@ -233,6 +249,9 @@ jobs:
         vmm:
           - clh
           - qemu
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-vfio-amd64-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     # TODO: enable with clh when https://github.com/kata-containers/kata-containers/issues/9764 is fixed
     # TODO: enable with qemu when https://github.com/kata-containers/kata-containers/issues/9851 is fixed
     # TODO: Transition to free runner (see #9940).
@@ -283,6 +302,9 @@ jobs:
           - qemu
           - cloud-hypervisor
           - qemu-runtime-rs
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-nerdctl-amd64-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     runs-on: ubuntu-22.04
     env:
       KATA_HYPERVISOR: ${{ matrix.vmm }}
@@ -333,6 +355,10 @@ jobs:
   run-kata-agent-apis:
     name: run-kata-agent-apis
     runs-on: ubuntu-22.04
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-agent-api-amd64
+      cancel-in-progress: true
+    timeout-minutes: 30
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:

.github/workflows/basic-ci-s390x.yaml

@@ -13,6 +13,10 @@ on:
         type: string
         default: ""
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-s390x
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs:
@@ -26,6 +30,9 @@ jobs:
       matrix:
         containerd_version: ['active']
         vmm: ['qemu-runtime-rs']
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-s390x-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     # TODO: enable me when https://github.com/containerd/containerd/issues/11640 is fixed
     if: false
     runs-on: s390x-large
@@ -89,6 +96,9 @@ jobs:
       matrix:
         containerd_version: ['lts', 'active']
         vmm: ['qemu']
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-s390x-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     runs-on: s390x-large
     env:
       CONTAINERD_VERSION: ${{ matrix.containerd_version }}

.github/workflows/build-checks-preview-riscv64.yaml

@@ -12,6 +12,10 @@ on:
         required: true
         type: string
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-riscv64
+  cancel-in-progress: true
+
 permissions: {}
 
 name: Build checks preview riscv64
@@ -63,7 +67,9 @@ jobs:
             path: src/runtime-rs
             needs:
               - rust
-
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ inputs.instance }}-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     steps:
       - name: Adjust a permission for repo
         run: |

.github/workflows/build-checks.yaml

@@ -5,13 +5,17 @@ on:
         required: true
         type: string
 
-permissions: {}
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-build-checks
+  cancel-in-progress: true
 
+permissions: {}
 
 name: Build checks
 jobs:
   check:
     name: check
+    timeout-minutes: 60
     runs-on: >-
       ${{
         ( contains(inputs.instance, 's390x') && matrix.component.name == 'runtime' ) && 's390x' ||
@@ -75,7 +79,9 @@ jobs:
               - protobuf-compiler
         instance:
           - ${{ inputs.instance }}
-
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ inputs.instance }}-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     steps:
       - name: Adjust a permission for repo
         run: |

.github/workflows/build-kata-static-tarball-amd64.yaml

@@ -28,6 +28,10 @@ on:
 
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-tarball-amd64
+  cancel-in-progress: true
+
 jobs:
   build-asset:
     name: build-asset
@@ -64,6 +68,9 @@ jobs:
         exclude:
           - asset: cloud-hypervisor-glibc
             stage: release
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-amd64-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     env:
       PERFORM_ATTESTATION: ${{ matrix.asset == 'agent' && inputs.push-to-registry == 'yes' && 'yes' || 'no' }}
     steps:
@@ -169,6 +176,9 @@ jobs:
           - rootfs-image-nvidia-gpu-confidential
           - rootfs-initrd
           - rootfs-initrd-confidential
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-amd64-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     steps:
       - name: Login to Kata Containers quay.io
         if: ${{ inputs.push-to-registry == 'yes' }}
@@ -236,6 +246,9 @@ jobs:
           - coco-guest-components
           - kernel-nvidia-gpu-modules
           - pause-image
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-amd64-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     steps:
       - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
         with:
@@ -250,6 +263,9 @@ jobs:
       matrix:
         asset:
           - agent
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     steps:
       - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
         if: ${{ inputs.stage == 'release' }}
@@ -321,6 +337,7 @@ jobs:
   create-kata-tarball:
     name: create-kata-tarball
     runs-on: ubuntu-22.04
+    timeout-minutes: 10
     needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
     permissions:
       contents: read
@@ -382,6 +399,9 @@ jobs:
           - trace-forwarder
         stage:
           - ${{ inputs.stage }}
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-amd64-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     steps:
       - name: Login to Kata Containers quay.io
         if: ${{ inputs.push-to-registry == 'yes' }}

.github/workflows/build-kata-static-tarball-arm64.yaml

@@ -28,6 +28,10 @@ on:
 
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-arm64
+  cancel-in-progress: true
+
 jobs:
   build-asset:
     name: build-asset
@@ -53,6 +57,9 @@ jobs:
           - ovmf
           - qemu
           - virtiofsd
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-arm64-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     env:
       PERFORM_ATTESTATION: ${{ matrix.asset == 'agent' && inputs.push-to-registry == 'yes' && 'yes' || 'no' }}
     steps:
@@ -153,6 +160,9 @@ jobs:
           - rootfs-image
           - rootfs-image-nvidia-gpu
           - rootfs-initrd
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-arm-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     steps:
       - name: Login to Kata Containers quay.io
         if: ${{ inputs.push-to-registry == 'yes' }}
@@ -217,6 +227,9 @@ jobs:
         asset:
           - busybox
           - kernel-nvidia-gpu-modules
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-arm-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     steps:
       - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
         with:
@@ -300,6 +313,7 @@ jobs:
   create-kata-tarball:
     name: create-kata-tarball
     runs-on: ubuntu-24.04-arm
+    timeout-minutes: 10
     needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
     permissions:
       contents: read

.github/workflows/build-kata-static-tarball-ppc64le.yaml

@@ -26,6 +26,10 @@ on:
 
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-ppc64le
+  cancel-in-progress: true
+
 jobs:
   build-asset:
     name: build-asset
@@ -42,6 +46,9 @@ jobs:
           - virtiofsd
         stage:
           - ${{ inputs.stage }}
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-ppc64le-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     steps:
       - name: Login to Kata Containers quay.io
         if: ${{ inputs.push-to-registry == 'yes' }}
@@ -100,6 +107,9 @@ jobs:
           - rootfs-initrd
         stage:
           - ${{ inputs.stage }}
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-ppc64le-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     steps:
       - name: Login to Kata Containers quay.io
         if: ${{ inputs.push-to-registry == 'yes' }}
@@ -162,6 +172,9 @@ jobs:
       matrix:
         asset:
           - agent
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-ppc64le-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     steps:
       - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
         if: ${{ inputs.stage == 'release' }}
@@ -231,6 +244,7 @@ jobs:
   create-kata-tarball:
     name: create-kata-tarball
     runs-on: ubuntu-24.04-ppc64le
+    timeout-minutes: 10
     needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
     permissions:
       contents: read

.github/workflows/build-kata-static-tarball-riscv64.yaml

@@ -21,6 +21,10 @@ on:
         type: string
         default: ""
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-tarball-riscv64
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs:
@@ -37,6 +41,9 @@ jobs:
         asset:
           - kernel
           - virtiofsd
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-riscv-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:

.github/workflows/build-kata-static-tarball-s390x.yaml

@@ -29,6 +29,10 @@ on:
 
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-tarball-s390x
+  cancel-in-progress: true
+
 jobs:
   build-asset:
     name: build-asset
@@ -47,6 +51,9 @@ jobs:
           - pause-image
           - qemu
           - virtiofsd
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-s390x-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     env:
       PERFORM_ATTESTATION: ${{ matrix.asset == 'agent' && inputs.push-to-registry == 'yes' && 'yes' || 'no' }}
     steps:
@@ -134,6 +141,9 @@ jobs:
           - rootfs-image-confidential
           - rootfs-initrd
           - rootfs-initrd-confidential
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-s390x-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     steps:
       - name: Login to Kata Containers quay.io
         if: ${{ inputs.push-to-registry == 'yes' }}
@@ -248,6 +258,9 @@ jobs:
           - agent
           - coco-guest-components
           - pause-image
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-s390x-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     steps:
       - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
         if: ${{ inputs.stage == 'release' }}
@@ -319,6 +332,7 @@ jobs:
   create-kata-tarball:
     name: create-kata-tarball
     runs-on: ubuntu-24.04-s390x
+    timeout-minutes: 10
     needs:
       - build-asset
       - build-asset-rootfs

.github/workflows/build-kubectl-image.yaml

@@ -15,6 +15,10 @@ on:
 
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-kubectl-image
+  cancel-in-progress: true
+
 env:
   REGISTRY: quay.io
   IMAGE_NAME: kata-containers/kubectl

.github/workflows/ci-devel.yaml

@@ -2,6 +2,10 @@ name: Kata Containers CI (manually triggered)
 on:
   workflow_dispatch:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-devel
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs:

.github/workflows/ci-nightly-s390x.yaml

@@ -6,6 +6,10 @@ name: Nightly CI for s390x
 
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-nightly-s390x
+  cancel-in-progress: true
+
 jobs:
   check-internal-test-result:
     name: check-internal-test-result

.github/workflows/ci-weekly.yaml

@@ -22,7 +22,7 @@ on:
       AZ_APPID:
         required: true
       AZ_TENANT_ID:
-       required: true
+        required: true
       AZ_SUBSCRIPTION_ID:
         required: true
       QUAY_DEPLOYER_PASSWORD:
@@ -32,6 +32,10 @@ on:
 
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-weekly
+  cancel-in-progress: true
+
 jobs:
   build-kata-static-tarball-amd64:
     permissions:

.github/workflows/ci.yaml

@@ -30,7 +30,7 @@ on:
       AZ_APPID:
         required: true
       AZ_TENANT_ID:
-       required: true
+        required: true
       AZ_SUBSCRIPTION_ID:
         required: true
       CI_HKD_PATH:
@@ -46,6 +46,10 @@ on:
 
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-ci
+  cancel-in-progress: true
+
 jobs:
   build-kata-static-tarball-amd64:
     permissions:
@@ -370,7 +374,7 @@ jobs:
       commit-hash: ${{ inputs.commit-hash }}
       target-branch: ${{ inputs.target-branch }}
 
-  run-cri-containerd-amd64:
+  run-cri-containerd-tests-amd64:
     if: ${{ inputs.skip-test != 'yes' }}
     needs: build-kata-static-tarball-amd64
     strategy:
@@ -387,7 +391,10 @@ jobs:
           { containerd_version: active, vmm: qemu             },
           { containerd_version: active, vmm: cloud-hypervisor },
           { containerd_version: active, vmm: qemu-runtime-rs  },
-         ]
+        ]
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-cri-amd64-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     uses: ./.github/workflows/run-cri-containerd-tests.yaml
     with:
       tarball-suffix: -${{ inputs.tag }}
@@ -398,16 +405,19 @@ jobs:
       containerd_version: ${{ matrix.params.containerd_version }}
       vmm: ${{ matrix.params.vmm }}
 
-  run-cri-containerd-s390x:
+  run-cri-containerd-tests-s390x:
     if: ${{ inputs.skip-test != 'yes' }}
     needs: build-kata-static-tarball-s390x
     strategy:
       fail-fast: false
       matrix:
         params: [
-          { containerd_version: active, vmm: qemu            },
-          { containerd_version: active, vmm: qemu-runtime-rs },
-         ]
+          {containerd_version: active, vmm: qemu},
+          {containerd_version: active, vmm: qemu-runtime-rs},
+        ]
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     uses: ./.github/workflows/run-cri-containerd-tests.yaml
     with:
       tarball-suffix: -${{ inputs.tag }}
@@ -425,8 +435,11 @@ jobs:
       fail-fast: false
       matrix:
         params: [
-          { containerd_version: active, vmm: qemu },
-         ]
+          {containerd_version: active, vmm: qemu},
+        ]
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-cri-ppc64le-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     uses: ./.github/workflows/run-cri-containerd-tests.yaml
     with:
       tarball-suffix: -${{ inputs.tag }}
@@ -444,8 +457,11 @@ jobs:
       fail-fast: false
       matrix:
         params: [
-          { containerd_version: active, vmm: qemu },
-         ]
+          {containerd_version: active, vmm: qemu},
+        ]
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-cri-arm64-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     uses: ./.github/workflows/run-cri-containerd-tests.yaml
     with:
       tarball-suffix: -${{ inputs.tag }}

.github/workflows/cleanup-resources.yaml

@@ -4,6 +4,10 @@ on:
     - cron: "0 0 * * *"
   workflow_dispatch:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs:

.github/workflows/codeql.yml

@@ -19,6 +19,10 @@ on:
   schedule:
     - cron: '45 0 * * 1'
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 permissions: {}
 
 

.github/workflows/docs-url-alive-check.yaml

@@ -3,6 +3,10 @@ on:
     - cron:  '0 23 * * 0'
   workflow_dispatch:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 permissions: {}
 
 name: Docs URL Alive Check

.github/workflows/docs.yaml

@@ -3,7 +3,9 @@ on:
   push:
     branches:
       - main
+
 permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true

.github/workflows/gatekeeper-skipper.yaml

@@ -31,6 +31,10 @@ on:
       skip_static:
         value: ${{ jobs.skipper.outputs.skip_static }}
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-gatekeeper-skipper
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs:

.github/workflows/govulncheck.yaml

@@ -3,6 +3,10 @@ on:
 
 name: Govulncheck
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs:
@@ -22,7 +26,7 @@ jobs:
 
     steps:
       - name: Checkout the code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           fetch-depth: 0
           persist-credentials: false

.github/workflows/osv-scanner.yaml

@@ -15,6 +15,10 @@ on:
   push:
     branches: [ "main" ]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-osv-scanner
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs:

.github/workflows/publish-kata-deploy-payload.yaml

@@ -34,6 +34,10 @@ on:
       QUAY_DEPLOYER_PASSWORD:
         required: true
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ inputs.arch }}-publish-deploy
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs:

.github/workflows/push-oras-tarball-cache.yaml

@@ -12,6 +12,10 @@ on:
 
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
   push-oras-cache:
     name: push-oras-cache

.github/workflows/release-amd64.yaml

@@ -11,6 +11,10 @@ on:
       KBUILD_SIGN_PIN:
         required: true
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false # Note - don't cancel the in progress build as we could end up with inconsistent results
+
 permissions: {}
 
 jobs:

.github/workflows/release-arm64.yaml

@@ -11,6 +11,10 @@ on:
       KBUILD_SIGN_PIN:
         required: true
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false # Note - don't cancel the in progress build as we could end up with inconsistent results
+
 permissions: {}
 
 jobs:

.github/workflows/release-ppc64le.yaml

@@ -9,6 +9,10 @@ on:
       QUAY_DEPLOYER_PASSWORD:
         required: true
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false # Note - don't cancel the in progress build as we could end up with inconsistent results
+
 permissions: {}
 
 jobs:

.github/workflows/release-s390x.yaml

@@ -11,6 +11,10 @@ on:
       QUAY_DEPLOYER_PASSWORD:
         required: true
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false # Note - don't cancel the in progress build as we could end up with inconsistent results
+
 permissions: {}
 
 jobs:

.github/workflows/release.yaml

@@ -2,6 +2,10 @@ name: Release Kata Containers
 on:
   workflow_dispatch
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false # Note - don't cancel the in progress build as we could end up with inconsistent results
+
 permissions: {}
 
 jobs:

.github/workflows/run-cri-containerd-tests.yaml

@@ -1,7 +1,5 @@
 name: CI | Run cri-containerd tests
 
-permissions: {}
-
 on:
   workflow_call:
     inputs:
@@ -32,6 +30,12 @@ on:
         required: true
         type: string
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-cri-tests-${{ toJSON(inputs) }}
+  cancel-in-progress: true
+
+permissions: {}
+
 jobs:
   run-cri-containerd:
     name: run-cri-containerd-${{ inputs.arch }} (${{ inputs.containerd_version }}, ${{ inputs.vmm }})

.github/workflows/run-k8s-tests-on-aks.yaml

@@ -29,10 +29,13 @@ on:
       AZ_APPID:
         required: true
       AZ_TENANT_ID:
-       required: true
+        required: true
       AZ_SUBSCRIPTION_ID:
         required: true
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-aks
+  cancel-in-progress: true
 
 permissions: {}
 
@@ -54,6 +57,9 @@ jobs:
           - host_os: cbl-mariner
             vmm: clh
             instance-type: normal
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-run-k8s-tests-aks-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     runs-on: ubuntu-22.04
     permissions:
       contents: read

.github/workflows/run-k8s-tests-on-arm64.yaml

@@ -22,6 +22,10 @@ on:
         type: string
         default: ""
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-k8s-arm64
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs:
@@ -35,6 +39,9 @@ jobs:
           - qemu-runtime-rs
         k8s:
           - kubeadm
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-arm64-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     runs-on: arm64-k8s
     env:
       DOCKER_REGISTRY: ${{ inputs.registry }}

.github/workflows/run-k8s-tests-on-free-runner.yaml

@@ -27,6 +27,10 @@ on:
         type: string
         default: ""
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-free-runner
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs:
@@ -47,6 +51,9 @@ jobs:
           { vmm: cloud-hypervisor, containerd_version: lts },
           { vmm: cloud-hypervisor, containerd_version: active },
         ]
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-free-runner-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     runs-on: ubuntu-24.04
     permissions:
       contents: read
@@ -124,4 +131,3 @@ jobs:
         if: always()
         timeout-minutes: 15
         run: bash tests/integration/kubernetes/gha-run.sh cleanup
-

.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml

@@ -28,6 +28,10 @@ on:
       NGC_API_KEY:
         required: true
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-nvidia-gpu
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs:
@@ -40,6 +44,9 @@ jobs:
           { name: nvidia-gpu,     vmm: qemu-nvidia-gpu,     runner: amd64-nvidia-a100 },
           { name: nvidia-gpu-snp, vmm: qemu-nvidia-gpu-snp, runner: amd64-nvidia-h100-snp },
         ]
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     runs-on: ${{ matrix.environment.runner }}
     env:
       DOCKER_REGISTRY: ${{ inputs.registry }}

.github/workflows/run-k8s-tests-on-ppc64le.yaml

@@ -22,6 +22,10 @@ on:
         type: string
         default: ""
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-ppc64le
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs:
@@ -34,6 +38,9 @@ jobs:
           - qemu
         k8s:
           - kubeadm
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-ppc64le-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     runs-on: ppc64le-k8s
     env:
       DOCKER_REGISTRY: ${{ inputs.registry }}

.github/workflows/run-k8s-tests-on-zvsi.yaml

@@ -25,6 +25,10 @@ on:
       AUTHENTICATED_IMAGE_PASSWORD:
         required: true
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-zvsi
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs:
@@ -63,6 +67,9 @@ jobs:
             vmm: qemu
           - snapshotter: nydus
             vmm: qemu-runtime-rs
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-zvsi-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     runs-on: s390x-large
     env:
       DOCKER_REGISTRY: ${{ inputs.registry }}

.github/workflows/run-kata-coco-stability-tests.yaml

@@ -29,12 +29,16 @@ on:
       AZ_APPID:
         required: true
       AZ_TENANT_ID:
-       required: true
+        required: true
       AZ_SUBSCRIPTION_ID:
         required: true
       AUTHENTICATED_IMAGE_PASSWORD:
         required: true
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-coco-stability
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs:
@@ -51,6 +55,9 @@ jobs:
           - nydus
         pull-type:
           - guest-pull
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     runs-on: ubuntu-22.04
     permissions:
 

.github/workflows/run-kata-coco-tests.yaml

@@ -34,12 +34,16 @@ on:
       AZ_APPID:
         required: true
       AZ_TENANT_ID:
-       required: true
+        required: true
       AZ_SUBSCRIPTION_ID:
         required: true
       ITA_KEY:
         required: true
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-coco
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs:
@@ -53,6 +57,9 @@ jobs:
             vmm: qemu-tdx
           - runner: sev-snp
             vmm: qemu-snp
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     runs-on: ${{ matrix.runner }}
     env:
       DOCKER_REGISTRY: ${{ inputs.registry }}
@@ -141,6 +148,9 @@ jobs:
           { vmm: qemu-coco-dev-runtime-rs, snapshotter: nydus, pull_type: guest-pull },
           { vmm: qemu-coco-dev, snapshotter: "", pull_type: experimental-force-guest-pull },
         ]
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     runs-on: ubuntu-24.04
     permissions:
       contents: read
@@ -268,6 +278,9 @@ jobs:
           { k8s: microk8s, vmm: qemu-coco-dev, snapshotter: "", pull_type: experimental-force-guest-pull },
           { k8s: microk8s, vmm: qemu-coco-dev-runtime-rs, snapshotter: nydus, pull_type: guest-pull },
         ]
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     runs-on: ubuntu-24.04
     permissions:
       contents: read
@@ -382,6 +395,9 @@ jobs:
           - erofs
         pull-type:
           - default
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}
+      cancel-in-progress: true
     runs-on: ubuntu-24.04
     environment:
       name: ci

.github/workflows/run-kata-deploy-tests-on-aks.yaml

@@ -25,10 +25,14 @@ on:
       AZ_APPID:
         required: true
       AZ_TENANT_ID:
-       required: true
+        required: true
       AZ_SUBSCRIPTION_ID:
         required: true
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-kata-deploy-aks
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs:
@@ -47,6 +51,9 @@ jobs:
         include:
           - host_os: cbl-mariner
             vmm: clh
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     runs-on: ubuntu-22.04
     environment:
       name: ci

.github/workflows/run-kata-deploy-tests.yaml

@@ -22,6 +22,10 @@ on:
         type: string
         default: ""
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-kata-deploy
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs:
@@ -37,6 +41,9 @@ jobs:
           - k3s
           - rke2
           - microk8s
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     runs-on: ubuntu-22.04
     env:
       DOCKER_REGISTRY: ${{ inputs.registry }}

.github/workflows/run-kata-monitor-tests.yaml

@@ -13,6 +13,10 @@ on:
         type: string
         default: ""
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-kata-monitor
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs:
@@ -34,6 +38,9 @@ jobs:
           # TODO: enable with containerd when https://github.com/kata-containers/kata-containers/issues/9761 is fixed
           - container_engine: containerd
             vmm: qemu
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ toJSON(matrix) }}
+      cancel-in-progress: true
     runs-on: ubuntu-22.04
     env:
       CONTAINER_ENGINE: ${{ matrix.container_engine }}

.github/workflows/run-metrics.yaml

@@ -22,6 +22,10 @@ on:
         type: string
         default: ""
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-metrics
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs:

.github/workflows/scorecard.yaml

@@ -11,6 +11,10 @@ on:
     branches: [ "main" ]
   workflow_dispatch:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs:

.github/workflows/zizmor.yaml

@@ -26,4 +26,4 @@ jobs:
           advanced-security: false
           annotations: true
           persona: auditor
-          version: v1.13.0
+          version: v1.22.0

src/runtime/pkg/govmm/.github/workflows/main.yml

@@ -1,6 +1,10 @@
 on: ["pull_request"]
 name: Unit tests
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read