Skip to content

Commit 8fb1424

Browse files
harden(ci): concurrency-cancel guard on canonical check workflows (#56)
Redistributes merged standards#122. Adds `concurrency{cancel-in-progress:true}` to read-only check workflows (scorecard.yml scorecard-enforcer.yml governance.yml codeql.yml secret-scanner.yml) and scopes affinescript-verify push where present. Zero check coverage lost; read-only workflows only. 🤖 estate sweep Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent e234d79 commit 8fb1424

5 files changed

Lines changed: 41 additions & 1 deletion

File tree

.github/workflows/codeql.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,14 @@ on:
99
schedule:
1010
- cron: '0 6 * * 1'
1111

12+
# Estate guardrail: cancel superseded runs so re-pushes / rebased PR
13+
# updates do not pile up queued runs against the shared account-wide
14+
# Actions concurrency pool. Applied only to read-only check workflows
15+
# (no publish/mutation), so cancelling a superseded run is always safe.
16+
concurrency:
17+
group: ${{ github.workflow }}-${{ github.ref }}
18+
cancel-in-progress: true
19+
1220
permissions:
1321
contents: read
1422

.github/workflows/governance.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,14 @@ on:
1818
pull_request:
1919
workflow_dispatch:
2020

21+
# Estate guardrail: cancel superseded runs so re-pushes / rebased PR
22+
# updates do not pile up queued runs against the shared account-wide
23+
# Actions concurrency pool. Applied only to read-only check workflows
24+
# (no publish/mutation), so cancelling a superseded run is always safe.
25+
concurrency:
26+
group: ${{ github.workflow }}-${{ github.ref }}
27+
cancel-in-progress: true
28+
2129
permissions:
2230
contents: read
2331

.github/workflows/scorecard-enforcer.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,14 @@ on:
99
- cron: '0 6 * * 1' # Weekly on Monday
1010
workflow_dispatch:
1111

12+
# Estate guardrail: cancel superseded runs so re-pushes / rebased PR
13+
# updates do not pile up queued runs against the shared account-wide
14+
# Actions concurrency pool. Applied only to read-only check workflows
15+
# (no publish/mutation), so cancelling a superseded run is always safe.
16+
concurrency:
17+
group: ${{ github.workflow }}-${{ github.ref }}
18+
cancel-in-progress: true
19+
1220
permissions:
1321
contents: read
1422

.github/workflows/scorecard.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,14 @@ on:
77
- cron: '0 4 * * *'
88
workflow_dispatch:
99

10+
# Estate guardrail: cancel superseded runs so re-pushes / rebased PR
11+
# updates do not pile up queued runs against the shared account-wide
12+
# Actions concurrency pool. Applied only to read-only check workflows
13+
# (no publish/mutation), so cancelling a superseded run is always safe.
14+
concurrency:
15+
group: ${{ github.workflow }}-${{ github.ref }}
16+
cancel-in-progress: true
17+
1018
permissions:
1119
contents: read
1220

.github/workflows/secret-scanner.yml

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,14 @@ on:
77
push:
88
branches: [main]
99

10+
# Estate guardrail: cancel superseded runs so re-pushes / rebased PR
11+
# updates do not pile up queued runs against the shared account-wide
12+
# Actions concurrency pool. Applied only to read-only check workflows
13+
# (no publish/mutation), so cancelling a superseded run is always safe.
14+
concurrency:
15+
group: ${{ github.workflow }}-${{ github.ref }}
16+
cancel-in-progress: true
17+
1018
permissions:
1119
contents: read
1220

@@ -70,4 +78,4 @@ jobs:
7078
if [ $found -eq 1 ]; then
7179
echo "::error::Potential hardcoded secrets detected. Use environment variables instead."
7280
exit 1
73-
fi
81+
fi

0 commit comments

Comments
 (0)