Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
version: 2
updates:
# Keep GitHub Actions up to date. Dependabot can also raise PRs that pin
# actions to commit SHAs, addressing the "unpinned third-party action"
# supply-chain risk without hand-maintaining digests.
- package-ecosystem: 'github-actions'
directory: '/'
schedule:
interval: 'weekly'
labels:
- 'dependencies'
- 'github-actions'

# Keep npm dependencies up to date. Dev/tooling updates are grouped to keep
# PR noise low; runtime dependencies are raised individually for review.
- package-ecosystem: 'npm'
directory: '/'
schedule:
interval: 'weekly'
open-pull-requests-limit: 10
labels:
- 'dependencies'
groups:
dev-dependencies:
dependency-type: 'development'

# Keep the self-hosted PWA Docker base image patched.
- package-ecosystem: 'docker'
directory: '/docker'
schedule:
interval: 'weekly'
labels:
- 'dependencies'
- 'docker'
9 changes: 9 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,15 @@ on:
- master
workflow_dispatch:

# Least-privilege default token: this workflow only reads the repo.
permissions:
contents: read

# Cancel superseded runs on the same ref (e.g. rapid pushes to a PR).
concurrency:
group: ci-${{ github.ref }}
cancel-in-progress: true
Comment on lines +17 to +19

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 The current cancel-in-progress: true is unconditional, so rapid pushes to master (e.g. two PRs merged back-to-back) will cancel each other's CI runs. That means a commit that breaks master could silently slip past — the CI for the first merge gets killed before it finishes, and neither run produces a green or red result for that SHA. Cancelling superseded runs is valuable for PR branches but should be disabled for the default branch.

Suggested change
concurrency:
group: ci-${{ github.ref }}
cancel-in-progress: true
concurrency:
group: ci-${{ github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
Prompt To Fix With AI
This is a comment left during a code review.
Path: .github/workflows/ci.yml
Line: 17-19

Comment:
The current `cancel-in-progress: true` is unconditional, so rapid pushes to `master` (e.g. two PRs merged back-to-back) will cancel each other's CI runs. That means a commit that breaks `master` could silently slip past — the CI for the first merge gets killed before it finishes, and neither run produces a green or red result for that SHA. Cancelling superseded runs is valuable for PR branches but should be disabled for the default branch.

```suggestion
concurrency:
    group: ci-${{ github.ref }}
    cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
```

How can I resolve this? If you propose a fix, please make it concise.


jobs:
unit-and-typecheck:
name: Unit Tests and Typechecks
Expand Down
10 changes: 10 additions & 0 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,16 @@ on:
schedule:
- cron: '0 20 * * 3'

# Least-privilege token for CodeQL: read code + Actions, write scan results.
permissions:
actions: read
contents: read
security-events: write

concurrency:
group: codeql-${{ github.ref }}
cancel-in-progress: true

jobs:
analyze:
name: Analyze
Expand Down
9 changes: 9 additions & 0 deletions .github/workflows/e2e-tests.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,15 @@ on:
branches:
- master

# Least-privilege default token: E2E only needs to read the repo.
permissions:
contents: read

# Cancel superseded multi-OS E2E runs on the same ref.
concurrency:
group: e2e-${{ github.ref }}
cancel-in-progress: true

jobs:
electron-e2e-tests:
name: Electron E2E on ${{ matrix.os }}
Expand Down