Context
A workflow audit (run 2026-05-22) surfaced hygiene gaps in this repo's reusable AI workflows that downstream repos inherit.
Findings
CRITICAL — Missing concurrency groups
.github/workflows/release-please.yml — publishes releases, no concurrency guard.github/workflows/update-version-tags.yml — pushes tags, no concurrency guard
WARNING — Missing job-level permissions in write jobs
.github/workflows/post-merge-tests.yml — runs git push but doesn't declare permissions: contents: write at the job level.github/workflows/_ai-merge-gate.yml — uses gh pr review without declaring pull-requests: write at job level
Action
- Add concurrency groups to release-please and update-version-tags workflows
- Narrow job-level permissions in workflows that perform writes (don't rely on workflow-level inheritance)
- Audit other reusable workflows in
.github/workflows/_*.yml for the same patterns
References
agentsmd/rules/git-signing.md — App-token pattern, signed commits via Contents APIagentsmd/rules/ci-cd-policy.md
Context
A workflow audit (run 2026-05-22) surfaced hygiene gaps in this repo's reusable AI workflows that downstream repos inherit.
Findings
CRITICAL — Missing concurrency groups
.github/workflows/release-please.yml— publishes releases, no concurrency guard.github/workflows/update-version-tags.yml— pushes tags, no concurrency guardWARNING — Missing job-level permissions in write jobs
.github/workflows/post-merge-tests.yml— runsgit pushbut doesn't declarepermissions: contents: writeat the job level.github/workflows/_ai-merge-gate.yml— usesgh pr reviewwithout declaringpull-requests: writeat job levelAction
.github/workflows/_*.ymlfor the same patternsReferences
agentsmd/rules/git-signing.md— App-token pattern, signed commits via Contents APIagentsmd/rules/ci-cd-policy.md