hypatia: detect read-only check workflows missing concurrency block (from #333 cohort, pattern 6)

[hyperpolymath]

Detector spec (from hypatia#333 Pattern 6)

Pattern 6 — Read-only check workflow missing concurrency: block

Severity: low (runner-cost waste on rapid-push PRs)

Detection (Hypatia.Rules.WorkflowAudit):

• For each workflow file:
  • If on: includes pull_request or push, AND no top-level concurrency: block, AND permissions: is read-all or only has read scopes, flag.
  • The read-only condition is the safety gate — cancel-in-progress: true is only safe when the workflow doesn't publish/mutate.

Worked examples (this session):

• affinescript/.github/workflows/{ci,semgrep,stdlib-naming,spark-theatre-gate,workflow-linter}.yml all lacked concurrency blocks. Fix: affinescript#379 added the estate-standard {group: workflow-ref, cancel-in-progress: true} pattern.

Remediation guidance to emit:

Read-only check workflows should add the canonical block:

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

Skip for workflows that publish (release, JSR, npm) — superseding a publish is unsafe.

Implementation pointers

• Detection algorithm: For each workflow, if on: includes pull_request/push AND no top-level concurrency: AND permissions: is read-all or read-only scopes, flag. Read-only condition is the safety gate.
• Real-world example: affinescript/.github/workflows/{ci,semgrep,stdlib-naming,spark-theatre-gate,workflow-linter}.yml all lacked concurrency blocks.
• Landed fix (reference): affinescript#379 (added estate-standard {group: workflow-ref, cancel-in-progress: true} pattern).
• Rule statement: Read-only check workflows should add the canonical concurrency: { group: ${{ github.workflow }}-${{ github.ref }}, cancel-in-progress: true } block. Skip for workflows that publish (release, JSR, npm) — superseding a publish is unsafe.

Acceptance

• Rule encoded in hypatia (file path follows existing rule naming convention — lib/rules/<name>.ex if Elixir, or matching the repo's rule DSL)
• Test fixture exercising the positive case + at least one negative case
• Smoke test passes against the cited landed-fix repo

Source cohort: hypatia#333.

[hyperpolymath]

cicd triage 2026-05-30 — scoped plan + park

PR #403 ships the first batch of 4 rules from this cohort (#336, #337, #338, #390). This issue is in the next batch; landing it requires more substantial work than the first four:

Detection: for each workflow, if (on: includes pull_request/push) AND (no top-level concurrency:) AND (permissions: is read-all or read-only scopes), flag. Add to lib/rules/workflow_audit.ex as WF024.

The issue body is the implementation spec (detection algorithm + worked example + remediation guidance — well-formed). Next-batch PR will pick this up. Leaving open with cicd label.

[hyperpolymath]

Superseded: already implemented as WH007 (wh007_missing_concurrency in lib/rules/workflow_hardening.ex line 458). Detects workflow files missing a top-level concurrency: block on PR/push triggers. Closing.