From edff8375d48f400877c11ee51a476a4a950afd15 Mon Sep 17 00:00:00 2001 From: Jonathan Yu Date: Tue, 1 Mar 2022 18:04:45 +0000 Subject: [PATCH] chore: limit concurrency for build jobs * Configure build jobs to cancel previous builds when new changes are pushed to a pull request branch, and serialize builds when running in a branch from a push event * Reduce privileges of GitHub token for scripts workflow --- .github/workflows/ci.yaml | 7 +++++++ .github/workflows/codeql-analysis.yml | 7 +++++++ .github/workflows/docker.yaml | 7 +++++++ .github/workflows/docs-preview.yaml | 7 +++++++ .github/workflows/installer.yml | 7 +++++++ .github/workflows/npm-brew.yaml | 7 +++++++ .github/workflows/scripts.yml | 19 +++++++++++++++++++ 7 files changed, 61 insertions(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 9f3bb7d53bb4..985a248b29f6 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -8,6 +8,13 @@ on: branches: - main +# Cancel in-progress runs for pull requests when developers push +# additional changes, and serialize builds in branches. +# https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + # Note: if: success() is used in several jobs - # this ensures that it only executes if all previous jobs succeeded. diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 3b41e3d9b2ad..d9ab78ab3e7e 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -10,6 +10,13 @@ on: # Runs every Monday morning PST - cron: "17 15 * * 1" +# Cancel in-progress runs for pull requests when developers push +# additional changes, and serialize builds in branches. +# https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + jobs: analyze: name: Analyze diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index ec1792b27be8..c31577d573b1 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -9,6 +9,13 @@ on: types: - released +# Cancel in-progress runs for pull requests when developers push +# additional changes, and serialize builds in branches. +# https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + jobs: docker-images: runs-on: ubuntu-20.04 diff --git a/.github/workflows/docs-preview.yaml b/.github/workflows/docs-preview.yaml index 6eb4fcaef509..e56acf5c4a65 100644 --- a/.github/workflows/docs-preview.yaml +++ b/.github/workflows/docs-preview.yaml @@ -17,6 +17,13 @@ permissions: security-events: none statuses: none +# Cancel in-progress runs for pull requests when developers push +# additional changes, and serialize builds in branches. +# https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + jobs: preview: name: Docs preview diff --git a/.github/workflows/installer.yml b/.github/workflows/installer.yml index cba880cf9b4d..761e1047cbcb 100644 --- a/.github/workflows/installer.yml +++ b/.github/workflows/installer.yml @@ -12,6 +12,13 @@ on: paths: - "install.sh" +# Cancel in-progress runs for pull requests when developers push +# additional changes, and serialize builds in branches. +# https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + jobs: ubuntu: name: Test installer on Ubuntu diff --git a/.github/workflows/npm-brew.yaml b/.github/workflows/npm-brew.yaml index a515e423e1ff..7f9648d038df 100644 --- a/.github/workflows/npm-brew.yaml +++ b/.github/workflows/npm-brew.yaml @@ -8,6 +8,13 @@ on: release: types: [released] +# Cancel in-progress runs for pull requests when developers push +# additional changes, and serialize builds in branches. +# https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + jobs: # NOTE: this job requires curl, jq and yarn # All of them are included in ubuntu-latest. diff --git a/.github/workflows/scripts.yml b/.github/workflows/scripts.yml index 197d74ef885e..cf6d18caa2b0 100644 --- a/.github/workflows/scripts.yml +++ b/.github/workflows/scripts.yml @@ -14,6 +14,25 @@ on: - "**.sh" - "**.bats" +permissions: + actions: none + checks: none + contents: read + deployments: none + issues: none + packages: none + pull-requests: none + repository-projects: none + security-events: none + statuses: none + +# Cancel in-progress runs for pull requests when developers push +# additional changes, and serialize builds in branches. +# https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + jobs: test: name: Run script unit tests