Skip to content

ci: harden workflows with pinned actions, timeouts, and concurrency controls #1412

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

ci: harden workflows with pinned actions, timeouts, and concurrency controls #1412

wants to merge 10 commits into from

Conversation

@niStee
Copy link
Contributor

@niStee niStee commented Nov 1, 2025
edited
Loading

What does this PR do?

Hardens existing CI and release workflows with security and reliability best practices.

Changes:

Security hardening:

Reliability improvements:

  • Add timeouts to all jobs (10min for fast jobs, 60-120min for builds)
  • Add concurrency groups to release workflows with cancel-in-progress

Maintenance improvements:

  • Replace manual cross curl install with taiki-e/install-action for easier Renovate updates

Notes:

  • Split from original scope per maintainer feedback - new workflows (CodeQL, cargo-deny) will be added separately

@niStee niStee mentioned this pull request Nov 1, 2025
Closed
7 tasks
GideonBear
GideonBear reviewed Nov 15, 2025
View reviewed changes
Topgrade Tester added 3 commits November 15, 2025 20:54
ci: add CodeQL and cargo-deny workflows with pinned SHAs
e69f79c
ci: harden workflows with timeouts, concurrency, fetch-depth, and mod…
a6fc6d6 
…ern cross install

- Add timeout-minutes to all jobs to prevent hung workflows
- Add concurrency groups to cancel redundant runs
- Add fetch-depth: 1 for faster shallow clones
- Replace manual cross download with taiki-e/install-action
- Keep all action SHAs pinned for security
ci(release): add timeouts and shallow checkout to create_release_asse…
26ac658 
…ts (native,cross)
@niStee niStee marked this pull request as draft November 15, 2025 20:22
@niStee niStee marked this pull request as ready for review November 15, 2025 23:37
GideonBear
GideonBear requested changes Nov 16, 2025
View reviewed changes
@niStee niStee marked this pull request as draft November 16, 2025 11:19
@niStee niStee changed the title ci(p0): add CodeQL and cargo-deny; harden CI and release workflows ci: harden workflows with pinned actions, timeouts, and concurrency controls Nov 16, 2025
@niStee niStee marked this pull request as ready for review November 16, 2025 12:10
@niStee niStee requested a review from GideonBear November 16, 2025 18:52
@GideonBear
Copy link
Member

GideonBear commented Nov 17, 2025

@niStee Are you using LLMs to write/translate/check your comments?
Your comments are extremely verbose and bloated, seeming to point to that.

@niStee
Copy link
Contributor Author

niStee commented Nov 17, 2025

@niStee Are you using LLMs to write/translate/check your comments?
Your comments are extremely verbose and bloated, seeming to point to that.

Yes, I use them – for me it’s just a smarter spell‑checker; if the style bothers you, I can try to make future replies shorter and less formal.

@GideonBear
Copy link
Member

GideonBear commented Nov 18, 2025

The style isn't the problem. It's the length and verbosity. Take this comment:

You're absolutely right. This PR mixes two distinct concerns:

  1. New workflows (CodeQL, cargo-deny)
  2. Hardening existing workflows (timeouts, pinned actions, concurrency groups)

I'll split this into two PRs:

This will make review easier and allow each set of changes to be discussed and merged independently. I'll update this PR shortly to remove the new workflow files.

I would've written this as:

You're right, I'll split it up.

The information you're putting in the comment is mostly duplicated or noisy:

You're absolutely right. This PR mixes two distinct concerns:

  1. New workflows (CodeQL, cargo-deny)
  2. Hardening existing workflows (timeouts, pinned actions, concurrency groups)

That's just what I said but in more words. What benefit do you think it gives to write it out like this?

I'll split this into two PRs:

I can see you changing the title, and I can see you opening a new PR; link them if you so wish, but don't duplicate all this information.

This will make review easier and allow each set of changes to be discussed and merged independently. I'll update this PR shortly to remove the new workflow files.

You seem to understand this. I asked you to split it up, so I assume you know I understand it as well. Why would you need to clarify this?

It looks like you're not putting any effort into your comments, just letting LLMs generate them. Which is quite disrespectful; you're not putting the effort into writing an extensive comment, instead letting an LLM do that, but you expect me to read the entire thing? You're just wasting my time at that point.

(and if you believe it's good to have long verbose communication, perhaps even interpreting that verbose communication with an LLM, then I disagree, and I do not want that type of communication here)

I really don't mind long comments, but they have to be useful. What LLMs tend to do is generate text that looks great on the surface, but when you actually read it, turns out to be full of obvious information, duplication, and useless styling. Which (again) just wastes people's time! A great way to make sure your comment is actually useful is to write it yourself. You'll notice if what you're writing isn't useful information. And if you want to pass it through a spell-checker or an LLM then fine (even though I don't really care, I don't mind bad English at all), but don't post any text that you wouldn't have written yourself.

If I am interpreting this wrong, let me know. It's not my intention to "accuse" you of anything, but I feel like I have to be a bit harsh to keep out any bad faith. I cannot keep reviewing your stuff if you don't improve your communication.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@GideonBear GideonBear Awaiting requested review from GideonBear

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@niStee @GideonBear