From 9efe0966bf493f9257d90dba5f4271fb5b760280 Mon Sep 17 00:00:00 2001
From: Ralf Anton Beier <ralf_beier@me.com>
Date: Sat, 2 May 2026 09:29:11 +0200
Subject: [PATCH] chore(ci): add concurrency control to all workflows
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add top-level `concurrency:` blocks to every workflow so superseded PR
runs are cancelled while runs on `main`, tags, releases, and scheduled
events complete normally. Org-wide context: 93 workflows queued across
the org as of 2026-05-02 with the oldest job 23h old; rivet has been
intermittently sitting at 5h+ runner-queue stalls on chore PRs.

Without this, every PR push starts a fresh run while previous runs on
superseded commits keep executing — agents pushing 2-5 commits per
minute multiply queue pressure for zero useful signal. The conditional
`cancel-in-progress: ${{ github.event_name == 'pull_request' }}`
preserves all main-branch and scheduled work.

Variants applied per the brief:

- **default** (cancel only on PR): `benchmarks.yml`, `ci.yml`
- **compliance** (serialize, never cancel — partial reports leave
  registries / attestations inconsistent): `compliance.yml`
- **release** (serialize per-tag, never cancel — partial publish
  leaves npm / GitHub Release inconsistent): `release.yml`,
  `release-npm.yml`. `release-npm.yml` keys on tag-name with
  fallback through `inputs.version` and `github.ref` for
  workflow_dispatch.

Already had correct concurrency, left alone:

- `rivet-delta.yml`: groups by `pull_request.number`, always cancels
  (correct: PR-only workflow, no main runs to protect).
- `fuzz.yml`: groups by ref with `cancel-in-progress: false` (correct
  for hybrid push+schedule workflow; one fuzz run per ref serializes
  cleanly without losing scheduled corpus growth).

Verification before merge:
- All YAMLs parse cleanly via Python yaml.safe_load.
- Diff is workflow-files-only — no job restructure, no runs-on
  change, no caching change.

Trace: skip
---
 .github/workflows/benchmarks.yml  | 5 +++++
 .github/workflows/ci.yml          | 6 ++++++
 .github/workflows/compliance.yml  | 7 +++++++
 .github/workflows/release-npm.yml | 7 +++++++
 .github/workflows/release.yml     | 7 +++++++
 5 files changed, 32 insertions(+)

diff --git a/.github/workflows/benchmarks.yml b/.github/workflows/benchmarks.yml
index ae7846e4..eb915423 100644
--- a/.github/workflows/benchmarks.yml
+++ b/.github/workflows/benchmarks.yml
@@ -1,5 +1,10 @@
 name: Benchmarks
 
+# Cancel superseded PR runs; protect main + scheduled runs.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
 on:
   push:
     branches: [main]
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e4a20ad3..05f82d9e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,5 +1,11 @@
 name: CI
 
+# Cancel superseded PR runs; protect main + scheduled runs.
+# `head_ref || ref` keys per-PR-source-branch on PRs, falls back to ref on push.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
 on:
   push:
     branches: [main]
diff --git a/.github/workflows/compliance.yml b/.github/workflows/compliance.yml
index 2e521cd3..0f1c547c 100644
--- a/.github/workflows/compliance.yml
+++ b/.github/workflows/compliance.yml
@@ -1,5 +1,12 @@
 name: Compliance Report
 
+# Compliance variant: produces compliance reports / signed artifacts. Group
+# for serialization but never cancel — partially-completed compliance runs
+# leave registries / attestations in inconsistent state.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/release-npm.yml b/.github/workflows/release-npm.yml
index 8813fd93..adc0754f 100644
--- a/.github/workflows/release-npm.yml
+++ b/.github/workflows/release-npm.yml
@@ -9,6 +9,13 @@ name: Release NPM
 # Platform packages MUST be published before the root package so npm can
 # resolve optionalDependencies on the first install after tag.
 
+# Release variant: serialize per-release, never cancel. A cancelled npm
+# publish run can leave platform packages published but root package
+# missing — first-install resolution would fail until manual cleanup.
+concurrency:
+  group: release-npm-${{ github.event.release.tag_name || github.event.inputs.version || github.ref }}
+  cancel-in-progress: false
+
 on:
   release:
     types: [published]
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 770f4661..fa701025 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,5 +1,12 @@
 name: Release
 
+# Release variant: serialize per-tag, never cancel. A cancelled release
+# mid-publish leaves the GitHub Release page, registries, and per-target
+# binary archives in inconsistent state.
+concurrency:
+  group: release-${{ github.ref }}
+  cancel-in-progress: false
+
 on:
   push:
     tags: