From ee4ff81425357df3a902f0ca248adba2faa0e16b Mon Sep 17 00:00:00 2001 From: XhmikosR Date: Fri, 12 Jun 2026 10:56:41 +0300 Subject: [PATCH] Streamline GitHub Actions * add concurrency * add timeout * add GitHub Actions scanning in CodeQL * remove CodeQL autobuild since it's redundant * fix compress images workflow to commit optimized images to the PR branch --- .../workflows/calibreapp-image-actions.yml | 19 +++++++++----- .github/workflows/ci.yml | 6 +++++ .github/workflows/codeql.yml | 25 ++++++++++++++----- 3 files changed, 38 insertions(+), 12 deletions(-) diff --git a/.github/workflows/calibreapp-image-actions.yml b/.github/workflows/calibreapp-image-actions.yml index 802552f07..020096fd8 100644 --- a/.github/workflows/calibreapp-image-actions.yml +++ b/.github/workflows/calibreapp-image-actions.yml @@ -1,24 +1,31 @@ name: Compress Images on: + # DO NOT CHANGE, must stay pull_request. pull_request_target would hand fork PRs a write token pull_request: paths: - - '**.jpg' - - '**.jpeg' - - '**.png' - - '**.webp' + - "**.jpg" + - "**.jpeg" + - "**.png" + - "**.webp" permissions: contents: read +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: build: - # Only run on Pull Requests within the same repository, and not from forks. + # Only run on Pull Requests within the same repository, and not from forks if: github.event.pull_request.head.repo.full_name == github.repository name: calibreapp/image-actions runs-on: ubuntu-latest + timeout-minutes: 15 permissions: - # allow calibreapp/image-actions to update PRs + # Allow calibreapp/image-actions to commit optimized images and update PRs + contents: write pull-requests: write steps: - name: Clone repository diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 749d6a976..e4597d909 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,9 +14,14 @@ env: permissions: contents: read +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + jobs: test: runs-on: ubuntu-latest + timeout-minutes: 15 steps: - name: Clone repository @@ -44,6 +49,7 @@ jobs: deploy: runs-on: ubuntu-latest + timeout-minutes: 15 needs: test if: github.repository == 'twbs/blog' && github.ref == 'refs/heads/main' permissions: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b1464fdd5..b945dfc59 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -11,15 +11,30 @@ on: - cron: "0 0 * * 0" workflow_dispatch: +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + jobs: analyze: - name: Analyze + name: Analyze (${{ matrix.language }}) runs-on: ubuntu-latest + timeout-minutes: 15 permissions: actions: read contents: read security-events: write + strategy: + fail-fast: false + matrix: + language: + - actions + - javascript-typescript + steps: - name: Checkout repository uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 @@ -29,13 +44,11 @@ jobs: - name: Initialize CodeQL uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: - languages: "javascript" + languages: "${{ matrix.language }}" + build-mode: none queries: +security-and-quality - - name: Autobuild - uses: github/codeql-action/autobuild@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 - - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: - category: "/language:javascript" + category: "/language:${{ matrix.language }}"