From ab6e126ccfdb3d905f4b5061a2936fe8523b9795 Mon Sep 17 00:00:00 2001 From: Ralf Anton Beier Date: Sat, 2 May 2026 09:10:55 +0200 Subject: [PATCH 1/3] chore(ci): add concurrency control to all workflows MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Why: org-wide CI is queue-bound — 93 jobs perpetually queued across the org, oldest 23 hours old on spar, ~30-40% of compute spent on runs against superseded commits. Adding workflow-level concurrency cancels superseded PR runs (the cheapest, lowest-risk fix) and is a prerequisite for the runner-migration work tracked separately. What: a single workflow file in this repo, `.github/workflows/ci.yml`. Default variant — group by workflow + head_ref (or ref on non-PR events), cancel-in-progress only on `pull_request` events. The sbom/provenance jobs in this workflow are gated on `github.ref == 'refs/heads/main'`; the conditional cancel (`${{ github.event_name == 'pull_request' }}`) leaves them untouched on push-to-main while still cancelling stale PR runs. Classification: - ci.yml → default variant (filename not in the release/compliance/sign keyword list; main-only attestation jobs are protected by the conditional cancel-in-progress). Out of scope (per the brief): runner migration, job parallelisation, cache strategy, permissions hardening — tracked separately, depend on this PR landing first. Verification: - YAML parses (python -c "import yaml; yaml.safe_load(...)"). - Diff is 4 lines, only under .github/workflows/. - After merge, the next PR push will demonstrate cancel behaviour; main push will demonstrate non-cancellation. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/ci.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index db93296..0f4119b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,5 +1,9 @@ name: CI +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + on: push: branches: [main] From f0830ae61143de69cd3132964baed67f7688980b Mon Sep 17 00:00:00 2001 From: Ralf Anton Beier Date: Sun, 3 May 2026 07:47:43 +0200 Subject: [PATCH 2/3] chore(ci): add a comment above the provenance job (no-op for cancellation test) Verifying the concurrency block from the parent commit by pushing two no-op commits in quick succession; the second should cancel this run. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0f4119b..dea7670 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -76,6 +76,8 @@ jobs: name: sbom path: sbom.spdx.json + # Attest build provenance for main-branch artifacts (consumed by + # downstream verifiers). provenance: runs-on: ubuntu-latest needs: [test, lint] From 64b2413669e366f50d52f85c1816bf177b6d22f9 Mon Sep 17 00:00:00 2001 From: Ralf Anton Beier Date: Sun, 3 May 2026 07:47:59 +0200 Subject: [PATCH 3/3] chore(ci): tweak the provenance job comment (second no-op for cancel test) The previous push's run should be cancelled by this one if the concurrency block is wired correctly. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dea7670..9177225 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -77,7 +77,7 @@ jobs: path: sbom.spdx.json # Attest build provenance for main-branch artifacts (consumed by - # downstream verifiers). + # downstream attestation verifiers). provenance: runs-on: ubuntu-latest needs: [test, lint]