Skip to content

Commit 39f9a66

Browse files
committed
Tighten CI workflow defaults
Three defensive additions to .github/workflows/ci.yml: - `permissions: contents: read` at the workflow level. Nothing in the workflow needs write access to the repo, and least-privilege defaults shrink the blast radius if any action ever turns out to be hostile. - A `concurrency` group keyed on the workflow and ref, cancelling in-progress runs only when triggered by a pull request. Stacked PR pushes no longer waste CI minutes on superseded matrices; pushes to master and the Saturday cron still run to completion. - `timeout-minutes: 20` on the test job. The suite finishes in well under that locally; the timeout guards against a hung runner (most likely on the ruby-head row) eating the GH Actions budget for six hours.
1 parent e88ab5a commit 39f9a66

1 file changed

Lines changed: 8 additions & 0 deletions

File tree

.github/workflows/ci.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,10 +12,18 @@ on:
1212
- cron: "0 18 * * 6" # Saturdays at 12pm CST
1313
workflow_dispatch:
1414

15+
permissions:
16+
contents: read
17+
18+
concurrency:
19+
group: ${{ github.workflow }}-${{ github.ref }}
20+
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
21+
1522
jobs:
1623
test:
1724
name: Ruby ${{ matrix.ruby-version }} / Active Record ${{ matrix.active-record.label }}
1825
runs-on: ubuntu-latest
26+
timeout-minutes: 20
1927
services:
2028
postgres:
2129
image: postgres:latest

0 commit comments

Comments
 (0)