Fix #697: Scope test workflows to PRs and refresh support policy#698
Merged
Conversation
- testing.yml and ubuntu_test_24_04.yml now run only on pull requests targeting main or 1.6.X, dropping push triggers and the obsolete duckdb/main and dev branch entries. - SECURITY.md restated as "latest released minor + 1.6.x LTS" with the table updated from the stale 1.5.x baseline. Branch protection rules for main and 1.6.X still need to be applied manually by an admin via Settings -> Branches; that part of #697 cannot be done from code.
Adds a workflow-level concurrency group keyed on the workflow name and the PR head ref (falling back to github.ref for workflow_dispatch). New runs in the same group cancel the in-flight one, so iterating on a PR no longer queues stale runs alongside the latest.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements the code-changeable parts of #697 plus a related CI hygiene fix:
.github/workflows/testing.ymland.github/workflows/ubuntu_test_24_04.ymlnow trigger only onpull_requesttargetingmainor1.6.X. Push triggers and the unusedduckdb/main/deventries are removed;workflow_dispatchstays ontesting.ymlfor manual debugging runs.concurrencygroup keyed on${{ github.workflow }}-${{ github.head_ref || github.ref }}withcancel-in-progress: true, so pushing a new commit to a PR cancels the in-flight run on the same PR instead of letting stale runs accumulate. Forworkflow_dispatchthe fallback togithub.refkeeps the same per-branch grouping.SECURITY.mdrewritten so the policy is stated in prose (latest released minor +1.6.xLTS) with the table updated from the stale1.5.xbaseline to1.6.x.Important
Branch protection rules for
mainand1.6.Xare not included in this PR — they must be configured by an admin through Settings -> Branches after this merges. The remaining checklist items in #697 (require PR, require approvals, require status checks, linear history, no admin bypass, etc.) are tracked there.Checklist
ruff format,ruff check,mypy) — N/A: pure YAML/Markdown changes, no Python touched.pytest) — N/A for this change; the workflow trigger change itself will be exercised once this PR runs CI.SECURITY.mdupdated.Impact / Risk
main(or toduckdb/main/dev). Once branch protection is enabled, the PR-only triggers are sufficient becausemaincan only receive code via PRs anyway. Until branch protection lands, a direct push tomainwould skip CI — coordinate the admin step soon after this merges.1.5.xas a supported security line;1.6.xis now the LTS line alongside the latest minor.Notes
yaml.safe_load.testing,Ubuntu 24.04 Tests,check-versions) to Required status checks on themainand1.6.Xrules, per the checklist in Harden main and 1.6.X branches, scope test workflows, and refresh support policy #697.Closes #697