diff --git a/.github/workflows/auto-changelog.yml b/.github/workflows/auto-changelog.yml index 4d2de31c..957d2b78 100644 --- a/.github/workflows/auto-changelog.yml +++ b/.github/workflows/auto-changelog.yml @@ -7,7 +7,7 @@ on: types: [published] concurrency: - group: ${{ github.workflow }}-${{ github.ref }} + group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref_name }} cancel-in-progress: true jobs: diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index deae86e5..df84999a 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -16,7 +16,7 @@ on: workflow_dispatch: concurrency: - group: ${{ github.workflow }}-${{ github.ref }} + group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.ref }} cancel-in-progress: true env: diff --git a/.github/workflows/cerberus-integration.yml b/.github/workflows/cerberus-integration.yml index 943ee06f..0184c9d1 100644 --- a/.github/workflows/cerberus-integration.yml +++ b/.github/workflows/cerberus-integration.yml @@ -22,7 +22,7 @@ on: # Prevent race conditions when PR is updated mid-test # Cancels old test runs when new build completes with different SHA concurrency: - group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch || github.ref }} + group: ${{ github.workflow }}-${{ github.event.workflow_run.event || github.event_name }}-${{ github.event.workflow_run.head_branch || github.ref }} cancel-in-progress: true jobs: diff --git a/.github/workflows/codecov-upload.yml b/.github/workflows/codecov-upload.yml index 47a9664a..51003f79 100644 --- a/.github/workflows/codecov-upload.yml +++ b/.github/workflows/codecov-upload.yml @@ -15,7 +15,7 @@ on: - 'hotfix/**' concurrency: - group: ${{ github.workflow }}-${{ github.ref }} + group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref_name }} cancel-in-progress: true env: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ee4dbfdb..f0968f4c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -17,7 +17,7 @@ on: - cron: '0 3 * * 1' concurrency: - group: ${{ github.workflow }}-${{ github.head_ref || github.ref_name }} + group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref_name }} cancel-in-progress: true env: diff --git a/.github/workflows/crowdsec-integration.yml b/.github/workflows/crowdsec-integration.yml index d54355b2..071a6bfa 100644 --- a/.github/workflows/crowdsec-integration.yml +++ b/.github/workflows/crowdsec-integration.yml @@ -22,7 +22,7 @@ on: # Prevent race conditions when PR is updated mid-test # Cancels old test runs when new build completes with different SHA concurrency: - group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch || github.ref }} + group: ${{ github.workflow }}-${{ github.event.workflow_run.event || github.event_name }}-${{ github.event.workflow_run.head_branch || github.ref }} cancel-in-progress: true jobs: diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 7abf0829..beecc68d 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -38,7 +38,7 @@ on: workflow_call: concurrency: - group: ${{ github.workflow }}-${{ github.head_ref || github.ref_name }} + group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref_name }} cancel-in-progress: true env: diff --git a/.github/workflows/docker-lint.yml b/.github/workflows/docker-lint.yml index 8b89d96d..c46d6302 100644 --- a/.github/workflows/docker-lint.yml +++ b/.github/workflows/docker-lint.yml @@ -11,7 +11,7 @@ on: - 'Dockerfile' concurrency: - group: ${{ github.workflow }}-${{ github.ref }} + group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref_name }} cancel-in-progress: true permissions: diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 2a14df99..50966716 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -25,7 +25,7 @@ permissions: # Allow only one concurrent deployment concurrency: - group: "pages-${{ github.ref }}" + group: "pages-${{ github.event_name }}-${{ github.ref }}" cancel-in-progress: false env: diff --git a/.github/workflows/dry-run-history-rewrite.yml b/.github/workflows/dry-run-history-rewrite.yml index 7a27880e..3bfe2772 100644 --- a/.github/workflows/dry-run-history-rewrite.yml +++ b/.github/workflows/dry-run-history-rewrite.yml @@ -10,7 +10,7 @@ on: workflow_dispatch: concurrency: - group: ${{ github.workflow }}-${{ github.ref }} + group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref_name }} cancel-in-progress: true permissions: diff --git a/.github/workflows/history-rewrite-tests.yml b/.github/workflows/history-rewrite-tests.yml index 96c964ec..5f5506a9 100644 --- a/.github/workflows/history-rewrite-tests.yml +++ b/.github/workflows/history-rewrite-tests.yml @@ -15,7 +15,7 @@ on: - 'hotfix/**' concurrency: - group: ${{ github.workflow }}-${{ github.ref }} + group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref_name }} cancel-in-progress: true jobs: diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index bd0a6e98..d1390f4c 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -15,7 +15,7 @@ on: - 'hotfix/**' concurrency: - group: ${{ github.workflow }}-${{ github.head_ref || github.ref_name }} + group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref_name }} cancel-in-progress: true permissions: diff --git a/.github/workflows/rate-limit-integration.yml b/.github/workflows/rate-limit-integration.yml index f62b87ec..8e7bfb36 100644 --- a/.github/workflows/rate-limit-integration.yml +++ b/.github/workflows/rate-limit-integration.yml @@ -22,7 +22,7 @@ on: # Prevent race conditions when PR is updated mid-test # Cancels old test runs when new build completes with different SHA concurrency: - group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch || github.ref }} + group: ${{ github.workflow }}-${{ github.event.workflow_run.event || github.event_name }}-${{ github.event.workflow_run.head_branch || github.ref }} cancel-in-progress: true jobs: diff --git a/.github/workflows/repo-health.yml b/.github/workflows/repo-health.yml index 9d7e9b28..84401601 100644 --- a/.github/workflows/repo-health.yml +++ b/.github/workflows/repo-health.yml @@ -8,7 +8,7 @@ on: workflow_dispatch: {} concurrency: - group: ${{ github.workflow }}-${{ github.ref }} + group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref_name }} cancel-in-progress: true jobs: diff --git a/.github/workflows/security-pr.yml b/.github/workflows/security-pr.yml index c3d5cda4..b80850b5 100644 --- a/.github/workflows/security-pr.yml +++ b/.github/workflows/security-pr.yml @@ -22,7 +22,7 @@ on: type: string concurrency: - group: security-pr-${{ github.event.workflow_run.head_branch || github.ref }} + group: security-pr-${{ github.event.workflow_run.event || github.event_name }}-${{ github.event.workflow_run.head_branch || github.ref }} cancel-in-progress: true jobs: diff --git a/.github/workflows/supply-chain-pr.yml b/.github/workflows/supply-chain-pr.yml index c0b31927..22e377e8 100644 --- a/.github/workflows/supply-chain-pr.yml +++ b/.github/workflows/supply-chain-pr.yml @@ -21,7 +21,7 @@ on: type: string concurrency: - group: supply-chain-pr-${{ github.event.workflow_run.head_branch || github.ref }} + group: supply-chain-pr-${{ github.event.workflow_run.event || github.event_name }}-${{ github.event.workflow_run.head_branch || github.ref }} cancel-in-progress: true permissions: diff --git a/.github/workflows/waf-integration.yml b/.github/workflows/waf-integration.yml index 1ad91ef6..6e203508 100644 --- a/.github/workflows/waf-integration.yml +++ b/.github/workflows/waf-integration.yml @@ -22,7 +22,7 @@ on: # Prevent race conditions when PR is updated mid-test # Cancels old test runs when new build completes with different SHA concurrency: - group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch || github.ref }} + group: ${{ github.workflow }}-${{ github.event.workflow_run.event || github.event_name }}-${{ github.event.workflow_run.head_branch || github.ref }} cancel-in-progress: true jobs: diff --git a/docs/plans/fix_workflow_concurrency.md b/docs/plans/fix_workflow_concurrency.md new file mode 100644 index 00000000..57aa3be7 --- /dev/null +++ b/docs/plans/fix_workflow_concurrency.md @@ -0,0 +1,99 @@ +# Fix Workflow Concurrency Logic + +## 1. Introduction +The current GitHub Actions workflows use `concurrency` settings that often group runs solely by branch name. This causes an issue where a `push` to a branch cancels an active `pull_request` check for the same branch (or vice versa), because they resolve to the same concurrency group key. + +This plan aims to decouple these contexts so that: +- **Push runs** only cancel previous **Push runs** on the same branch. +- **PR runs** only cancel previous **PR runs** on the same PR/branch. +- They **do not** cancel each other. + +## 2. Technical Specification + +### 2.1 Standard Workflows +For workflows triggered by `push` or `pull_request` (e.g., `docker-build.yml`), we will inject `${{ github.event_name }}` into the concurrency group key. + +**Current Pattern:** +```yaml +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.ref_name }} + cancel-in-progress: true +``` + +**New Pattern:** +```yaml +concurrency: + group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref_name }} + cancel-in-progress: true +``` + +### 2.2 Chained Workflows (`workflow_run`) +For workflows triggered by the completion of another workflow (e.g., `security-pr.yml` triggered by `docker-build`), we must differentiate based on what triggered the *upstream* run. + +**Current Pattern:** +```yaml +concurrency: + group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch || github.ref }} + cancel-in-progress: true +``` + +**New Pattern:** +```yaml +concurrency: + group: ${{ github.workflow }}-${{ github.event.workflow_run.event || github.event_name }}-${{ github.event.workflow_run.head_branch || github.ref }} + cancel-in-progress: true +``` +*Note: We use `|| github.event_name` and `|| github.ref` to handle cases where the workflow might be manually triggered (`workflow_dispatch`), where `workflow_run` context is missing.* + +## 3. Implementation Plan + +### Phase 1: Update Standard Workflows +Target Files: +- `.github/workflows/docker-build.yml` +- `.github/workflows/quality-checks.yml` +- `.github/workflows/codeql.yml` +- `.github/workflows/benchmark.yml` +- `.github/workflows/docs.yml` + +### Phase 2: Update Chained Workflows +Target Files: +- `.github/workflows/security-pr.yml` +- `.github/workflows/cerberus-integration.yml` +- `.github/workflows/crowdsec-integration.yml` +- `.github/workflows/rate-limit-integration.yml` +- `.github/workflows/waf-integration.yml` +- `.github/workflows/supply-chain-pr.yml` + +## 4. Acceptance Criteria +- [x] Push events triggers do not cancel visible PR checks. +- [x] PR synchronizations cancel older PR checks. +- [x] Repeated Pushes cancel older Push checks. +- [x] Manual triggers (`workflow_dispatch`) are handled gracefully without syntax errors. + +## 5. Resolution Log +**Executed by Agent on 2025-02-23:** + +Applied concurrency group updates to differentiate between `push` and `pull_request` events. + +**Updated Standard Workflows:** +- `docker-build.yml` +- `quality-checks.yml` +- `codeql.yml` +- `benchmark.yml` +- `docs.yml` +- `docker-lint.yml` (Added) +- `codecov-upload.yml` (Added) +- `repo-health.yml` (Added) +- `auto-changelog.yml` (Added) +- `history-rewrite-tests.yml` (Added) +- `dry-run-history-rewrite.yml` (Added) + +**Updated Chained Workflows (`workflow_run`):** +- `security-pr.yml` +- `cerberus-integration.yml` +- `crowdsec-integration.yml` +- `rate-limit-integration.yml` +- `waf-integration.yml` +- `supply-chain-pr.yml` + +All identified workflows now include `${{ github.event_name }}` (or `${{ github.event.workflow_run.event }}`) in their concurrency group keys to prevent aggressive cancellation.