From 50ec2a3b75d243a44be85b2e89442d7536c72f17 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 2 Apr 2025 16:15:31 +0200 Subject: [PATCH 1/5] gha: set permissions to read-only by default Signed-off-by: Sebastiaan van Stijn --- .github/workflows/ci.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 75c6bd7af9..9d8f9f3515 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,5 +1,14 @@ name: ci +# Default to 'contents: read', which grants actions to read commits. +# +# If any permission is set, any permission not included in the list is +# implicitly set to "none". +# +# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions +permissions: + contents: read + on: workflow_dispatch: push: From 6ac023a72cb71d42fc02ab284329af4a54f37963 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 2 Apr 2025 16:16:20 +0200 Subject: [PATCH 2/5] gha: add concurrency check Signed-off-by: Sebastiaan van Stijn --- .github/workflows/ci.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9d8f9f3515..950dbdd575 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,6 +9,10 @@ name: ci permissions: contents: read +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + on: workflow_dispatch: push: From 68cea527a1dd1aab50a7ff88879fc25d01091125 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 2 Apr 2025 16:20:12 +0200 Subject: [PATCH 3/5] gha: add guardrails timeouts on all jobs We had a few "runaway jobs" in other repos, where the job got stuck, and kept running for 6 hours (in one case even 24 hours, probably due some github outage). Some of those jobs could not be terminated. While running these actions on public repositories doesn't cost us, it's still not desirable to have jobs running for that long (as they can still hold up the queue). This patch adds a blanket "1 hour" time-limit. We should look at tweaking the limit to actually expected duration, but having a default at least is a start. Signed-off-by: Sebastiaan van Stijn --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 950dbdd575..b811aa67b5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,6 +26,7 @@ on: jobs: build: runs-on: ubuntu-24.04 + timeout-minutes: 60 # guardrails timeout for the whole job strategy: fail-fast: false matrix: From 5bf3dd5df6d42f23aa13212701e6417d569942ee Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 2 Apr 2025 16:24:16 +0200 Subject: [PATCH 4/5] gha: update to actions/checkout@v4 Signed-off-by: Sebastiaan van Stijn --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b811aa67b5..82dbfe138d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,7 +44,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v1 From 95b6b1db2b5a2bc42c16270e160d4b9ce81c80ba Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 2 Apr 2025 16:25:39 +0200 Subject: [PATCH 5/5] gha: update to docker/setup-buildx-action@v3 Signed-off-by: Sebastiaan van Stijn --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 82dbfe138d..5391ce8304 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -47,7 +47,7 @@ jobs: uses: actions/checkout@v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 + uses: docker/setup-buildx-action@v3 - name: Build run: |