Skip to content

Add concurrency control and job timeouts in CI#343

Open
gtsiolis wants to merge 3 commits into
mainfrom
devx-939-add-concurrency-control-and-job-timeouts-in-ci
Open

Add concurrency control and job timeouts in CI#343
gtsiolis wants to merge 3 commits into
mainfrom
devx-939-add-concurrency-control-and-job-timeouts-in-ci

Conversation

@gtsiolis

@gtsiolis gtsiolis commented Jun 26, 2026

Copy link
Copy Markdown
Member

Closes DEVX-939.

Hardens the CI pipeline with three independent, behavior-preserving improvements.

1. PR concurrency cancellation (.github/workflows/ci.yml)

Every push to a PR currently starts a full CI run (lint + goreleaser-check + unit + 6-way integration matrix) and nothing cancels superseded runs. New group:

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
  • PRs group by PR number → a new push cancels the older in-flight run.
  • push to main / tags / release fall back to run_id, so each run gets a unique group and is never cancelled or queued. This deliberately protects the reusable workflow_call from automated-release.yml.

2. Per-job timeouts (.github/workflows/ci.yml)

No job set timeout-minutes, leaving the implicit 6-hour default. A hung Docker/e2e job could occupy a runner for hours. Added: lint 10, goreleaser-check 10, test-unit 15, test-integration 45, test-integration-summary 5, release 30.

3. Grouped Dependabot updates (.github/dependabot.yml)

Dependabot could open up to 20 PRs/day (10 gomod + 10 github-actions). Minor/patch updates are now grouped per ecosystem into a single PR; major updates still open individual PRs so breaking bumps stay isolated.

Follow-ups (not in this PR)

  • The major bump path is half-wired: automated-release.yml can compute a major bump, but the release job validates tags against ^v0\.[0-9]+\.[0-9]+$, so a v1+ tag would be created and then fail to publish. Needs a product decision.
  • Inconsistent action pinning (some SHA-pinned, some floating tags); full SHA-pinning + Dependabot is a larger, separate change.

@gtsiolis gtsiolis requested a review from a team as a code owner June 26, 2026 11:36
@gtsiolis gtsiolis self-assigned this Jun 26, 2026
@gtsiolis gtsiolis force-pushed the devx-939-add-concurrency-control-and-job-timeouts-in-ci branch from 389a4e1 to c4f861f Compare June 26, 2026 11:37
@gtsiolis gtsiolis added semver: patch docs: skip Pull request does not require documentation changes labels Jun 26, 2026
@gtsiolis gtsiolis force-pushed the devx-939-add-concurrency-control-and-job-timeouts-in-ci branch from c4f861f to 98d8c45 Compare June 26, 2026 11:38
@gtsiolis gtsiolis changed the title ci: harden GitHub Actions with concurrency, timeouts, and grouped Dependabot updates Add concurrency control and job timeouts in CI Jun 26, 2026
@gtsiolis gtsiolis force-pushed the devx-939-add-concurrency-control-and-job-timeouts-in-ci branch 2 times, most recently from 29443f9 to 486add7 Compare June 29, 2026 13:34
@gtsiolis

Copy link
Copy Markdown
Member Author

This should be fairely trivial to review, anyone else from @localstack/devx wanna give it a try?

@gtsiolis gtsiolis force-pushed the devx-939-add-concurrency-control-and-job-timeouts-in-ci branch from 02eb96a to 473aad3 Compare June 30, 2026 11:09
gtsiolis and others added 3 commits July 1, 2026 07:03
- Cancel superseded CI runs on the same PR (keyed by PR number); push/tag/
  release runs get unique groups via run_id so the release pipeline's
  workflow_call is never interrupted.
- Add timeout-minutes to every CI job to replace the implicit 6h default.
- Group Dependabot minor/patch updates per ecosystem (gomod, github-actions);
  major updates still open individual PRs.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
TestAzStopInterceptionNoOpWhenNotIntercepting is the only az test that runs the
real az binary against a temp HOME on Windows. az spawns background processes
that hold handles open under HOME\.azure, so t.TempDir()'s auto RemoveAll fails
with "being used by another process" and fails an otherwise-passing test.

Use a best-effort temp HOME (azTempHome) that ignores cleanup errors instead.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The unique-group fallback (github.run_id for non-PR events) already
guarantees push/tag/release runs are never cancelled, so the
github.event_name conditional was redundant with cancel-in-progress: true.
@gtsiolis gtsiolis force-pushed the devx-939-add-concurrency-control-and-job-timeouts-in-ci branch from 473aad3 to 8ea1700 Compare July 1, 2026 07:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

docs: skip Pull request does not require documentation changes semver: patch

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant