Skip to content

Unify CI concurrency group across trigger events#15

Merged
mariusvniekerk merged 2 commits into
mainfrom
ci-concurrency-ref-name
Jun 10, 2026
Merged

Unify CI concurrency group across trigger events#15
mariusvniekerk merged 2 commits into
mainfrom
ci-concurrency-ref-name

Conversation

@mariusvniekerk

@mariusvniekerk mariusvniekerk commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Summary

  • workflow_dispatch runs were grouped by github.ref (refs/heads/<branch>) while pull_request runs were grouped by head_ref (bare branch name), so a dispatched CI run on a branch was never cancelled when a push to the same branch superseded it, and vice versa
  • Use github.ref_name so all trigger events on the same branch share one concurrency group; PR runs and main push runs remain separate groups

🤖 Generated with Claude Code

@mariusvniekerk @claude
Unify CI concurrency group across trigger events
77467b8 
workflow_dispatch runs grouped by github.ref (refs/heads/branch) while
pull_request runs grouped by head_ref (bare branch name), so a
dispatched run was never cancelled when a push superseded it. Use
ref_name so all trigger events on the same branch share a group.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@roborev-ci

roborev-ci Bot commented Jun 10, 2026

Copy link
Copy Markdown

roborev: Combined Review (77467b8)

CI concurrency grouping has a Medium severity fork-PR denial-of-service risk.

Medium

  • .github/workflows/ci.yml:16: The concurrency group uses ${{ github.head_ref || github.ref_name }}, which can collide across repositories when refs share the same short branch name. For pull_request events, github.head_ref is controlled by the PR author, including fork authors. A fork PR from a branch named main would use CI-main, colliding with trusted push or workflow_dispatch runs on this repo’s main; with cancel-in-progress: true, that PR can cancel trusted CI runs.

    Fix: Namespace PR concurrency groups so fork PRs cannot collide with trusted branch runs. For example, include the head repository identity, use the PR number, or only separate PRs when github.event.pull_request.head.repo.full_name != github.repository.

Panel: ci_default_security | Synthesis: codex, 27s | Members: codex_default (codex/default, done, 48s), codex_security (codex/security, done, 38s) | Total: 1m53s

@mariusvniekerk @claude
Key PR concurrency groups by PR number, not head_ref
4e8dc9e 
head_ref is attacker-controlled on fork PRs: a fork branch named
"main" produced the same concurrency group as trusted push and
workflow_dispatch runs on this repo's main, and with
cancel-in-progress: true a fork PR could cancel trusted CI runs.

The PR number is assigned by the repo, so fork authors cannot steer a
PR run into a branch group. Push and dispatch runs keep sharing a group
per ref_name so a dispatched run is still superseded by a push.
Flagged by roborev review on PR #15.

Generated with Claude Code (claude-fable-5[1m])
Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
@roborev-ci

roborev-ci Bot commented Jun 10, 2026

Copy link
Copy Markdown

roborev: Combined Review (4e8dc9e)

No issues found.

Panel: ci_default_security | Synthesis: codex | Members: codex_default (codex/default, done, 35s), codex_security (codex/security, done, 14s) | Total: 49s

@mariusvniekerk mariusvniekerk merged commit 41ac34e into main Jun 10, 2026
8 checks passed
@mariusvniekerk mariusvniekerk deleted the ci-concurrency-ref-name branch June 10, 2026 19:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mariusvniekerk