Skip to content

ci: redistribute concurrency-cancel guard to read-only check workflows #53

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
hyperpolymath merged 5 commits into from
May 18, 2026
Merged

ci: redistribute concurrency-cancel guard to read-only check workflows #53

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
23e4f56
ci: redistribute canonical codeql.yml (concurrency-cancel guard) (Ref…
hyperpolymath May 18, 2026
1948353
ci: redistribute canonical governance.yml (concurrency-cancel guard) …
hyperpolymath May 18, 2026
b9e5337
ci: redistribute canonical scorecard-enforcer.yml (concurrency-cancel…
hyperpolymath May 18, 2026
5723c62
ci: redistribute canonical scorecard.yml (concurrency-cancel guard) (…
hyperpolymath May 18, 2026
2e7d3e4
ci: redistribute canonical secret-scanner.yml (concurrency-cancel gua…
hyperpolymath May 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 39 additions & 10 deletions .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,20 +1,49 @@
<<<<<<< HEAD
# SPDX-License-Identifier: PMPL-1.0-or-later
=======
# SPDX-License-Identifier: MPL-2.0-or-later
>>>>>>> 1b58383 (chore: sync from parent repo automation)
# CodeQL disabled - no scannable source code detected
# SPDX-License-Identifier: PMPL-1.0
name: CodeQL Security Analysis

on:
workflow_dispatch: # Manual trigger only
push:
branches: [main, master]
pull_request:
branches: [main, master]
schedule:
- cron: '0 6 * * 1'

# Estate guardrail: cancel superseded runs so re-pushes / rebased PR
# updates do not pile up queued runs against the shared account-wide
# Actions concurrency pool. Applied only to read-only check workflows
# (no publish/mutation), so cancelling a superseded run is always safe.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions:
contents: read

jobs:
placeholder:
analyze:
runs-on: ubuntu-latest
if: false
permissions:
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
include:
- language: javascript-typescript
build-mode: none

steps:
- run: echo "Enable when source code is added"
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Initialize CodeQL
uses: github/codeql-action/init@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3
with:
category: "/language:${{ matrix.language }}"
2 changes: 1 addition & 1 deletion .github/workflows/scorecard-enforcer.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ jobs:
publish_results: true

- name: Upload SARIF
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4
uses: github/codeql-action/upload-sarif@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v4
with:
sarif_file: results.sarif

Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/scorecard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# SPDX-License-Identifier: PMPL-1.0-or-later
# SPDX-License-Identifier: PMPL-1.0
name: OSSF Scorecard
on:
push:
Expand Down Expand Up @@ -36,6 +36,6 @@ jobs:
results_format: sarif

- name: Upload results
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.31.8
uses: github/codeql-action/upload-sarif@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3.31.8
with:
sarif_file: results.sarif
12 changes: 7 additions & 5 deletions .github/workflows/secret-scanner.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# SPDX-License-Identifier: PMPL-1.0-or-later
# SPDX-License-Identifier: PMPL-1.0
# Prevention workflow - scans for hardcoded secrets before they reach main
name: Secret Scanner

Expand All @@ -22,19 +22,21 @@ jobs:
trufflehog:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
with:
fetch-depth: 0 # Full history for scanning

- name: TruffleHog Secret Scan
uses: trufflesecurity/trufflehog@6c05c4a00b91aa542267d8e32a8254774799d68d # v3
with:
extra_args: --only-verified --fail
# The v3 action injects --fail automatically on pull_request events.
# Passing --fail here triggers "flag 'fail' cannot be repeated".
extra_args: --only-verified

gitleaks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
with:
fetch-depth: 0

Expand All @@ -47,7 +49,7 @@ jobs:
rust-secrets:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4

- name: Check for hardcoded secrets in Rust
run: |
Expand Down
Loading