From 2ff90df6da6ee059a0359e0423d4a9868b9acabe Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Tue, 28 Apr 2026 14:22:06 -0500 Subject: [PATCH 01/10] ci: disable persist-credentials on checkout No reason to keep any credentials around from this step. Signed-off-by: Randolph Sapp --- .github/workflows/build.yml | 4 ++++ .github/workflows/check-files.yml | 2 ++ .github/workflows/check_toc_txt.yml | 2 ++ .github/workflows/commit-check.yml | 1 + .github/workflows/deploy.yml | 2 ++ .github/workflows/docker.yml | 2 ++ .github/workflows/rstcheck.yml | 2 ++ .github/workflows/vale.yml | 2 ++ .github/workflows/yamllint.yml | 2 ++ 9 files changed, 19 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c637ad2fd..fcb125331 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -26,6 +26,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Create build matrix id: matrix @@ -48,6 +50,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Add directory to safe dir overrides run: | diff --git a/.github/workflows/check-files.yml b/.github/workflows/check-files.yml index e98c34d7b..282edb75d 100644 --- a/.github/workflows/check-files.yml +++ b/.github/workflows/check-files.yml @@ -24,6 +24,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Update refs and settings run: | diff --git a/.github/workflows/check_toc_txt.yml b/.github/workflows/check_toc_txt.yml index d8c9ecda6..3df95d84e 100644 --- a/.github/workflows/check_toc_txt.yml +++ b/.github/workflows/check_toc_txt.yml @@ -25,6 +25,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Update refs and settings run: | diff --git a/.github/workflows/commit-check.yml b/.github/workflows/commit-check.yml index c4933e4fb..432406b77 100644 --- a/.github/workflows/commit-check.yml +++ b/.github/workflows/commit-check.yml @@ -18,6 +18,7 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false - name: Check commit uses: commit-check/commit-check-action@v2 diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 1bfd50c2c..afa66dc66 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -22,6 +22,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Add directory to safe dir overrides run: | diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 061a1d992..18f18976f 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -22,6 +22,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 diff --git a/.github/workflows/rstcheck.yml b/.github/workflows/rstcheck.yml index 04a45c93d..cff2dede6 100644 --- a/.github/workflows/rstcheck.yml +++ b/.github/workflows/rstcheck.yml @@ -24,6 +24,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Update refs and settings run: | diff --git a/.github/workflows/vale.yml b/.github/workflows/vale.yml index 1c493f94f..07e75cfbd 100644 --- a/.github/workflows/vale.yml +++ b/.github/workflows/vale.yml @@ -24,6 +24,8 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Get changed files id: changed-files diff --git a/.github/workflows/yamllint.yml b/.github/workflows/yamllint.yml index 967316adc..377c2cc61 100644 --- a/.github/workflows/yamllint.yml +++ b/.github/workflows/yamllint.yml @@ -15,6 +15,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: yamllint uses: reviewdog/action-yamllint@v1 From 8c9a44ac0f33e7ed2a893fb70278d2964a82bd03 Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Tue, 28 Apr 2026 14:23:45 -0500 Subject: [PATCH 02/10] ci(build): use ref name env variable Use the ref name environment variable instead of the ref name directly to prevent any unusual command injection. Signed-off-by: Randolph Sapp --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fcb125331..49b7df5a3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -60,7 +60,7 @@ jobs: - name: Build ${{ matrix.device }} run: | make DEVFAMILY=${{ matrix.device }} OS=${{ matrix.os }} \ - VERSION=${{ github.ref_name }} + VERSION=${GITHUB_REF_NAME} - name: Upload artifact uses: actions/upload-artifact@v4 From a70dc3ef6c6553044dcc900db4419a5e31507720 Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Tue, 28 Apr 2026 14:26:07 -0500 Subject: [PATCH 03/10] ci: clamp permissions for each workflow Clamp the workflow permissions to the minimum values required. Individual jobs can request other permissions if they need them. Signed-off-by: Randolph Sapp --- .github/workflows/build.yml | 7 +++---- .github/workflows/check-files.yml | 5 +++-- .github/workflows/check_toc_txt.yml | 5 +++-- .github/workflows/comment.yml | 5 +++-- .github/workflows/commit-check.yml | 9 +++++---- .github/workflows/deploy.yml | 5 +++-- .github/workflows/docker.yml | 7 ++++--- .github/workflows/rstcheck.yml | 5 +++-- .github/workflows/vale.yml | 5 +++-- .github/workflows/yamllint.yml | 3 +++ 10 files changed, 33 insertions(+), 23 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 49b7df5a3..067de398e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -13,14 +13,15 @@ defaults: run: shell: bash +permissions: + contents: read + jobs: collect: runs-on: ubuntu-latest container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read outputs: build-matrix: "${{ steps.matrix.outputs.matrix }}" steps: @@ -40,8 +41,6 @@ jobs: container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read needs: collect strategy: matrix: diff --git a/.github/workflows/check-files.yml b/.github/workflows/check-files.yml index 282edb75d..2bd979cec 100644 --- a/.github/workflows/check-files.yml +++ b/.github/workflows/check-files.yml @@ -11,6 +11,9 @@ defaults: run: shell: bash +permissions: + contents: read + jobs: lint: name: Lint @@ -18,8 +21,6 @@ jobs: container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read steps: - name: Checkout repository diff --git a/.github/workflows/check_toc_txt.yml b/.github/workflows/check_toc_txt.yml index 3df95d84e..62bc43044 100644 --- a/.github/workflows/check_toc_txt.yml +++ b/.github/workflows/check_toc_txt.yml @@ -12,6 +12,9 @@ defaults: run: shell: bash +permissions: + contents: read + jobs: lint: name: Lint @@ -19,8 +22,6 @@ jobs: container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read steps: - name: Checkout repository diff --git a/.github/workflows/comment.yml b/.github/workflows/comment.yml index c54a4cf03..13e6e739a 100644 --- a/.github/workflows/comment.yml +++ b/.github/workflows/comment.yml @@ -10,13 +10,14 @@ on: # yamllint disable-line rule:truthy types: - completed +permissions: + pull-requests: write + jobs: comment: name: Comment runs-on: ubuntu-latest if: ${{ github.event.workflow_run.event == 'pull_request' }} - permissions: - pull-requests: write steps: - name: Download artifact diff --git a/.github/workflows/commit-check.yml b/.github/workflows/commit-check.yml index 432406b77..5d52fedc5 100644 --- a/.github/workflows/commit-check.yml +++ b/.github/workflows/commit-check.yml @@ -4,14 +4,15 @@ on: # yamllint disable-line rule:truthy pull_request: branches: ['master'] +permissions: + contents: read + issues: write + pull-requests: write + jobs: commit-check: name: Commit Check runs-on: ubuntu-latest - permissions: - contents: read - issues: write - pull-requests: write steps: - name: Checkout diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index afa66dc66..7b378d8ee 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -8,6 +8,9 @@ on: # yamllint disable-line rule:truthy types: - completed +permissions: + contents: read + jobs: agregate: name: Agregate build artifacts @@ -16,8 +19,6 @@ jobs: container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read steps: - name: Checkout diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 18f18976f..ef0269aef 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -11,13 +11,14 @@ env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} +permissions: + contents: read + packages: write + jobs: build: name: Build runs-on: ubuntu-latest - permissions: - contents: read - packages: write steps: - name: Checkout diff --git a/.github/workflows/rstcheck.yml b/.github/workflows/rstcheck.yml index cff2dede6..aab3f7e62 100644 --- a/.github/workflows/rstcheck.yml +++ b/.github/workflows/rstcheck.yml @@ -11,6 +11,9 @@ defaults: run: shell: bash +permissions: + contents: read + jobs: lint: name: Lint @@ -18,8 +21,6 @@ jobs: container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read steps: - name: Checkout repository diff --git a/.github/workflows/vale.yml b/.github/workflows/vale.yml index 07e75cfbd..48380f19f 100644 --- a/.github/workflows/vale.yml +++ b/.github/workflows/vale.yml @@ -7,6 +7,9 @@ defaults: run: shell: bash +permissions: + contents: read + jobs: vale: name: vale @@ -14,8 +17,6 @@ jobs: container: image: ghcr.io/staticrocket/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read steps: - name: Prepare GitHub workdir diff --git a/.github/workflows/yamllint.yml b/.github/workflows/yamllint.yml index 377c2cc61..25850df5e 100644 --- a/.github/workflows/yamllint.yml +++ b/.github/workflows/yamllint.yml @@ -8,6 +8,9 @@ on: # yamllint disable-line rule:truthy - '**.yaml' - '**.yml' +permissions: + contents: read + jobs: yamllint: name: yamllint From 4a3abb4070e0ce997973aa0d485d2bb6d7c0be7f Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Tue, 28 Apr 2026 14:52:25 -0500 Subject: [PATCH 04/10] ci: use env vars instead of template values Use env vars to pass values into scripts to prevent possible template injection issues. Signed-off-by: Randolph Sapp --- .github/workflows/build.yml | 6 ++++-- .github/workflows/check-files.yml | 4 +++- .github/workflows/check_toc_txt.yml | 4 +++- .github/workflows/rstcheck.yml | 4 +++- 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 067de398e..6ad39ce6b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -57,9 +57,11 @@ jobs: git config --global --add safe.directory "$PWD" - name: Build ${{ matrix.device }} + env: + DEVFAMILY: ${{ matrix.device }} + OS: ${{ matrix.os }} run: | - make DEVFAMILY=${{ matrix.device }} OS=${{ matrix.os }} \ - VERSION=${GITHUB_REF_NAME} + make VERSION=${GITHUB_REF_NAME} - name: Upload artifact uses: actions/upload-artifact@v4 diff --git a/.github/workflows/check-files.yml b/.github/workflows/check-files.yml index 2bd979cec..c76d43ba2 100644 --- a/.github/workflows/check-files.yml +++ b/.github/workflows/check-files.yml @@ -36,6 +36,8 @@ jobs: git switch master - name: Run check_files.py + env: + EVENT_NUMBER: ${{ github.event.number }} run: | # Disable color output export NO_COLOR=true @@ -56,7 +58,7 @@ jobs: # Prepare the artifacts mkdir -p ./results - echo "${{ github.event.number }}" > ./results/id + echo "$EVENT_NUMBER" > ./results/id cp "$GITHUB_STEP_SUMMARY" ./results/summary echo "$(wc -l < _new-warn.log)" > ./results/problem-count diff --git a/.github/workflows/check_toc_txt.yml b/.github/workflows/check_toc_txt.yml index 62bc43044..701d75b1c 100644 --- a/.github/workflows/check_toc_txt.yml +++ b/.github/workflows/check_toc_txt.yml @@ -37,6 +37,8 @@ jobs: git switch master - name: Run rstcheck + env: + EVENT_NUMBER: ${{ github.event.number }} run: | # Disable color output export NO_COLOR=true @@ -57,7 +59,7 @@ jobs: # Prepare the artifacts mkdir -p ./results - echo "${{ github.event.number }}" > ./results/id + echo "$EVENT_NUMBER" > ./results/id cp "$GITHUB_STEP_SUMMARY" ./results/summary echo "$(wc -l < _new-warn.log)" > ./results/problem-count diff --git a/.github/workflows/rstcheck.yml b/.github/workflows/rstcheck.yml index aab3f7e62..fbed08dd3 100644 --- a/.github/workflows/rstcheck.yml +++ b/.github/workflows/rstcheck.yml @@ -36,6 +36,8 @@ jobs: git switch master - name: Run rstcheck + env: + EVENT_NUMBER: ${{ github.event.number }} run: | # Disable color output export NO_COLOR=true @@ -56,7 +58,7 @@ jobs: # Prepare the artifacts mkdir -p ./results - echo "${{ github.event.number }}" > ./results/id + echo "$EVENT_NUMBER" > ./results/id cp "$GITHUB_STEP_SUMMARY" ./results/summary echo "$(wc -l < _new-warn.log)" > ./results/problem-count From 555812c0c7e247581d0cc298799586521657d433 Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Tue, 28 Apr 2026 15:18:04 -0500 Subject: [PATCH 05/10] ci: trim and document unusual permissions Remove any permissions not explicitly needed at the moment. Add inline comments to explain the use of any remaining unusual workflow permissions. Signed-off-by: Randolph Sapp --- .github/workflows/comment.yml | 2 +- .github/workflows/commit-check.yml | 2 -- .github/workflows/component-owners.yml | 5 +---- .github/workflows/deploy.yml | 3 +-- .github/workflows/docker.yml | 2 +- 5 files changed, 4 insertions(+), 10 deletions(-) diff --git a/.github/workflows/comment.yml b/.github/workflows/comment.yml index 13e6e739a..88bf508c4 100644 --- a/.github/workflows/comment.yml +++ b/.github/workflows/comment.yml @@ -11,7 +11,7 @@ on: # yamllint disable-line rule:truthy - completed permissions: - pull-requests: write + pull-requests: write # Required to leave a comment on a review jobs: comment: diff --git a/.github/workflows/commit-check.yml b/.github/workflows/commit-check.yml index 5d52fedc5..67a82c82e 100644 --- a/.github/workflows/commit-check.yml +++ b/.github/workflows/commit-check.yml @@ -6,8 +6,6 @@ on: # yamllint disable-line rule:truthy permissions: contents: read - issues: write - pull-requests: write jobs: commit-check: diff --git a/.github/workflows/component-owners.yml b/.github/workflows/component-owners.yml index 59f35f80a..24cef2ff1 100644 --- a/.github/workflows/component-owners.yml +++ b/.github/workflows/component-owners.yml @@ -10,11 +10,8 @@ on: # yamllint disable-line rule:truthy branches: [master] permissions: - # Clamp permissions since pull_request_target workflows granted full - # read/write repository permission by default contents: read - issues: write - pull-requests: write + pull-requests: write # Required to set reviewers jobs: component-owners: diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 7b378d8ee..135432d9d 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -54,8 +54,7 @@ jobs: runs-on: ubuntu-latest needs: agregate permissions: - pages: write - id-token: write + pages: write # Required for deployment to GitHub Pages steps: - name: Update github page deployment diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index ef0269aef..26af53199 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -13,7 +13,7 @@ env: permissions: contents: read - packages: write + packages: write # Required to push image to ghcr.io jobs: build: From e5d67a74a4adba628cafa0958fa6f2f3163f4f88 Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Tue, 28 Apr 2026 15:21:16 -0500 Subject: [PATCH 06/10] ci(build): add a name for the collect job Add a description/name for the collect job in the build workflow. Signed-off-by: Randolph Sapp --- .github/workflows/build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6ad39ce6b..ad5bef3e6 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,6 +18,7 @@ permissions: jobs: collect: + name: Collect DEVFAMILY and OS combinations runs-on: ubuntu-latest container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest From 359270867b46b5fb4dcf32c99fa343bf3a834a7c Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Tue, 28 Apr 2026 15:25:23 -0500 Subject: [PATCH 07/10] ci(deploy): add a pages concurrency group There can only be one deployment at any one time and it has to be a full snapshot. No piecemeal updates. Might as well use a concurrency limit to kill any other jobs that get in our way. Not that there ever should be any, considering the way this job is launched currently. Signed-off-by: Randolph Sapp --- .github/workflows/deploy.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 135432d9d..87bd3e0ee 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -8,6 +8,10 @@ on: # yamllint disable-line rule:truthy types: - completed +concurrency: + group: pages + cancel-in-progress: true + permissions: contents: read From 149474e241d139d6f97293082c26426b43e6d63e Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Tue, 28 Apr 2026 15:55:06 -0500 Subject: [PATCH 08/10] ci(docker): add concurrency group for docker Interactions with tags and publishing container images should be purely sequential. Limit job concurrency to prevent any issues with multiple rapid updates to docker components. Signed-off-by: Randolph Sapp --- .github/workflows/docker.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 26af53199..eb9100110 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -7,6 +7,10 @@ on: # yamllint disable-line rule:truthy - 'docker/**' - requirements.txt +concurrency: + group: docker + cancel-in-progress: true + env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} From 9725d8f29421838cd5430357e696befe2c6e1cd8 Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Tue, 28 Apr 2026 16:23:28 -0500 Subject: [PATCH 09/10] ci: assign workflow concurrency groups for prs Assign concurrency groups for PR based workflows to prevent issues with users submitting multiple pushes in a short time. Signed-off-by: Randolph Sapp --- .github/workflows/check-files.yml | 4 ++++ .github/workflows/check_toc_txt.yml | 4 ++++ .github/workflows/commit-check.yml | 4 ++++ .github/workflows/component-owners.yml | 4 ++++ .github/workflows/rstcheck.yml | 4 ++++ .github/workflows/vale.yml | 4 ++++ .github/workflows/yamllint.yml | 4 ++++ 7 files changed, 28 insertions(+) diff --git a/.github/workflows/check-files.yml b/.github/workflows/check-files.yml index c76d43ba2..25094d377 100644 --- a/.github/workflows/check-files.yml +++ b/.github/workflows/check-files.yml @@ -7,6 +7,10 @@ on: # yamllint disable-line rule:truthy paths: - 'source/**' +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + defaults: run: shell: bash diff --git a/.github/workflows/check_toc_txt.yml b/.github/workflows/check_toc_txt.yml index 701d75b1c..7a6f17442 100644 --- a/.github/workflows/check_toc_txt.yml +++ b/.github/workflows/check_toc_txt.yml @@ -8,6 +8,10 @@ on: # yamllint disable-line rule:truthy - 'source/**' - 'configs/*/*_toc.txt' +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + defaults: run: shell: bash diff --git a/.github/workflows/commit-check.yml b/.github/workflows/commit-check.yml index 67a82c82e..8fc3858a1 100644 --- a/.github/workflows/commit-check.yml +++ b/.github/workflows/commit-check.yml @@ -4,6 +4,10 @@ on: # yamllint disable-line rule:truthy pull_request: branches: ['master'] +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + permissions: contents: read diff --git a/.github/workflows/component-owners.yml b/.github/workflows/component-owners.yml index 24cef2ff1..c583311f0 100644 --- a/.github/workflows/component-owners.yml +++ b/.github/workflows/component-owners.yml @@ -9,6 +9,10 @@ on: # yamllint disable-line rule:truthy pull_request_target: branches: [master] +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + permissions: contents: read pull-requests: write # Required to set reviewers diff --git a/.github/workflows/rstcheck.yml b/.github/workflows/rstcheck.yml index fbed08dd3..bbb834dd3 100644 --- a/.github/workflows/rstcheck.yml +++ b/.github/workflows/rstcheck.yml @@ -7,6 +7,10 @@ on: # yamllint disable-line rule:truthy paths: - 'source/**' +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + defaults: run: shell: bash diff --git a/.github/workflows/vale.yml b/.github/workflows/vale.yml index 48380f19f..4b8b8bb8e 100644 --- a/.github/workflows/vale.yml +++ b/.github/workflows/vale.yml @@ -3,6 +3,10 @@ name: "vale" on: [pull_request] # yamllint disable-line rule:truthy +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + defaults: run: shell: bash diff --git a/.github/workflows/yamllint.yml b/.github/workflows/yamllint.yml index 25850df5e..56a8ed1d8 100644 --- a/.github/workflows/yamllint.yml +++ b/.github/workflows/yamllint.yml @@ -8,6 +8,10 @@ on: # yamllint disable-line rule:truthy - '**.yaml' - '**.yml' +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + permissions: contents: read From 43f4bf94398c2e4017b33716d1b1080956e8da80 Mon Sep 17 00:00:00 2001 From: Randolph Sapp Date: Tue, 28 Apr 2026 16:33:35 -0500 Subject: [PATCH 10/10] ci: remove branch check for ready workflows The commit-check and component-owners workflows are currently ready to run on all branches. Remove the restraints for these two workflows. Other workflows will need to be adjusted before they can be released. Signed-off-by: Randolph Sapp --- .github/workflows/commit-check.yml | 4 +--- .github/workflows/component-owners.yml | 12 +++++------- 2 files changed, 6 insertions(+), 10 deletions(-) diff --git a/.github/workflows/commit-check.yml b/.github/workflows/commit-check.yml index 8fc3858a1..9750a3b18 100644 --- a/.github/workflows/commit-check.yml +++ b/.github/workflows/commit-check.yml @@ -1,8 +1,6 @@ --- name: Commit Check -on: # yamllint disable-line rule:truthy - pull_request: - branches: ['master'] +on: [pull_request] # yamllint disable-line rule:truthy concurrency: group: ${{ github.workflow }}-${{ github.event.number }} diff --git a/.github/workflows/component-owners.yml b/.github/workflows/component-owners.yml index c583311f0..cca01ef87 100644 --- a/.github/workflows/component-owners.yml +++ b/.github/workflows/component-owners.yml @@ -1,13 +1,11 @@ --- name: "component-owners" -on: # yamllint disable-line rule:truthy - # It's insecure to use pull_request_target if you intend to check out code - # from that PR. This just reads the config file in the pull request base, and - # is not an issue currently. We will need to use this to comment on PRs coming - # from forked repositories. - pull_request_target: - branches: [master] +# It's insecure to use pull_request_target if you intend to check out code +# from that PR. This just reads the config file in the pull request base, and +# is not an issue currently. We will need to use this to comment on PRs coming +# from forked repositories. +on: [pull_request_target] # yamllint disable-line rule:truthy concurrency: group: ${{ github.workflow }}-${{ github.event.number }}