ci: add concurrency groups, job timeouts, and extend CodeQL to Python

rshevchuk-git · rshevchuk-git · commit 00226c6a7f47 · 2026-05-05T10:54:55.000+02:00
- Add concurrency groups to build, pull-request-lint, dependency-review,
  and merge-prevention workflows. PR-triggered runs cancel in-progress
  superseded runs; push and merge_group runs are allowed to complete.
  pull-request-lint keys on github.event.pull_request.number because
  pull_request_target's github.ref points to the base branch.
- Add timeout-minutes to every job (5-30 min depending on workload) to
  replace the 6-hour default.
- Extend CodeQL matrix to cover Python (build-mode: none) alongside
  the existing GitHub Actions analysis, so tools/validate.py and any
  future Python helpers are scanned.
- Add a push trigger on main to build.yml so direct pushes to the
  protected branch still run lint/validate/security.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,11 +1,18 @@
 name: Build
 
 on:
+  push:
+    branches: [main]
   pull_request:
     branches: [main]
   merge_group:
   workflow_dispatch:
 
+# Cancel superseded PR runs; let push/merge_group runs complete.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
 # Default to no permissions; grant minimally at the job level.
 permissions:
   actions: none
@@ -27,6 +34,7 @@ permissions:
 jobs:
   build:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     permissions:
       contents: read
     steps:
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -32,6 +32,7 @@ jobs:
   analyze:
     name: Analyze (${{ matrix.language }})
     runs-on: ubuntu-latest
+    timeout-minutes: 30
     permissions:
       security-events: write # upload SARIF to code scanning
       packages: read # fetch internal CodeQL packs (no-op for public repos)
@@ -45,6 +46,9 @@ jobs:
           # (script injection, untrusted checkout patterns, over-broad tokens).
           - language: actions
             build-mode: none
+          # Scans Python helpers (e.g. tools/validate.py).
+          - language: python
+            build-mode: none
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -4,6 +4,10 @@ on:
   pull_request:
     branches: [main]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 # Default to no permissions; grant minimally at the job level.
 permissions:
   actions: none
@@ -25,6 +29,7 @@ permissions:
 jobs:
   dependency-review:
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     permissions:
       contents: read
     steps:
diff --git a/.github/workflows/merge-prevention.yml b/.github/workflows/merge-prevention.yml
@@ -26,6 +26,11 @@ on:
     types:
       - checks_requested
 
+# Cancel superseded PR runs; never cancel merge_group runs (they gate a queued merge).
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
 # Default to no permissions; grant minimally at the job level.
 permissions:
   actions: none
@@ -51,6 +56,7 @@ env:
 jobs:
   get-pr-info:
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     permissions:
       contents: read
       pull-requests: read
@@ -77,6 +83,7 @@ jobs:
 
   check-halt-merges:
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     needs: get-pr-info
     if: always()
     steps:
@@ -106,6 +113,7 @@ jobs:
 
   check-do-not-merge-label:
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     needs: get-pr-info
     if: always()
     steps:
diff --git a/.github/workflows/pull-request-lint.yml b/.github/workflows/pull-request-lint.yml
@@ -5,6 +5,11 @@ on:
     types: [opened, edited, synchronize, reopened]
     branches: [main]
 
+# Key on PR number because pull_request_target's github.ref is the base branch.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
 # Default to no permissions; grant minimally at the job level.
 permissions:
   actions: none
@@ -26,6 +31,7 @@ permissions:
 jobs:
   pr-title:
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     permissions:
       pull-requests: read
     steps:
diff --git a/.github/workflows/scorecard-analysis.yml b/.github/workflows/scorecard-analysis.yml
@@ -14,6 +14,7 @@ jobs:
   analysis:
     name: Scorecard analysis
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     permissions:
       contents: read
       security-events: write # upload SARIF to code scanning
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -26,6 +26,7 @@ permissions:
 jobs:
   stale:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     permissions:
       issues: write
       pull-requests: write
