ci: harden workflows with timeouts, concurrency, fetch-depth, and modern cross install

Topgrade Tester · Topgrade Tester · commit a6fc6d6ac629 · 2025-11-15T20:54:43.000+01:00
- Add timeout-minutes to all jobs to prevent hung workflows
- Add concurrency groups to cancel redundant runs
- Add fetch-depth: 1 for faster shallow clones
- Replace manual cross download with taiki-e/install-action
- Keep all action SHAs pinned for security
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -21,11 +21,13 @@ jobs:
   fmt:
     name: Rustfmt
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - name: Checkout code
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
+          fetch-depth: 1
 
       - name: Run cargo fmt
         env:
@@ -37,11 +39,13 @@ jobs:
   custom-checks:
     name: Custom checks
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - name: Checkout code
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
+          fetch-depth: 1
 
       - name: Check if `Step` enum is sorted
         run: |
@@ -138,16 +142,18 @@ jobs:
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
+          fetch-depth: 1
 
       - name: Setup Rust Cache
         uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
         with:
           prefix-key: ${{ matrix.target }}
 
-      - name: Setup cross
+      - name: Install cross
         if: matrix.use_cross == true
-        run: |
-          curl -fL --retry 3 "https://github.com/cross-rs/cross/releases/download/v${CROSS_VER}/cross-x86_64-unknown-linux-musl.tar.gz" | tar vxz -C /usr/local/bin
+        uses: taiki-e/install-action@0c5db7f7f897c03b771660e91d065338615679f4 # v2.60.0
+        with:
+          tool: cross@${{ env.CROSS_VER }}
 
       - name: Run cargo/cross check
         run: |
diff --git a/.github/workflows/release_to_homebrew.yml b/.github/workflows/release_to_homebrew.yml
@@ -7,9 +7,14 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   homebrew-publish:
     runs-on: ubuntu-latest
+    timeout-minutes: 30
     steps:
     - name: Bump formulae
       uses: dawidd6/action-homebrew-bump-formula@3428a0601bba3173ec0bdcc945be23fa27aa4c31 # v5
diff --git a/.github/workflows/release_to_pypi.yml b/.github/workflows/release_to_pypi.yml
@@ -7,10 +7,15 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   # TODO: make linux/windows/macos/sdist a matrix. See how other workflows do it.
   linux:
     runs-on: ubuntu-latest
+    timeout-minutes: 60
     strategy:
       matrix:
         target: [x86_64, x86, aarch64]
@@ -33,13 +38,15 @@ jobs:
 
   windows:
     runs-on: windows-latest
+    timeout-minutes: 60
     strategy:
       matrix:
         target: [x64, x86]
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
+          fetch-depth: 1
 
       - name: Build wheels
         uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4
@@ -54,13 +61,15 @@ jobs:
 
   macos:
     runs-on: macos-latest
+    timeout-minutes: 60
     strategy:
       matrix:
         target: [x86_64, aarch64]
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
+          fetch-depth: 1
 
       - name: Build wheels
         uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4
@@ -75,10 +84,12 @@ jobs:
 
   sdist:
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
+          fetch-depth: 1
 
       - name: Build sdist
         uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4
diff --git a/.github/workflows/release_to_winget.yml b/.github/workflows/release_to_winget.yml
@@ -7,9 +7,14 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   publish:
     runs-on: windows-latest
+    timeout-minutes: 30
     steps:
       - uses: vedantmgoyal2009/winget-releaser@19e706d4c9121098010096f9c495a70a7518b30f # main
         with:
