Fix secure image build to require single approval for all node types

[j1010001]

This workflow used to work in a way that presented approval for all private image builds (all node types). Now it only presents one image build approval and we must wait until the build is finished and only then we can approve another image, so this makes this very slow and painful, requiring multiple approvals for all node types.
Likely root-cause was: 32fae53#diff-28c4d7956687a734acfd9629ddffb1a980c1228b92364743dfc80e08db2fc398R127 - this PR reverts the introduction of max-parallel: 1 parameter for secure build.

When max-parallel: 1 is set on a matrix job that also has an environment: gate, GitHub Actions processes matrix instances sequentially — each instance arrives at the environment's required-reviewer gate in isolation, triggering a separate approval prompt. With 6 roles in the matrix, this produced 6 sequential approvals instead of one.

Removing max-parallel: 1 allows all matrix instances to start simultaneously. Since they all target the same secure builds environment, GitHub batches them into a single approval request.

Summary by CodeRabbit

• Chores
  • Optimized CI/CD pipeline by enabling parallel execution of role builds, potentially reducing overall build times.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA b6a1128.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Scanned Files

None

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request removes the strategy.max-parallel: 1 concurrency constraint from the secure-build job in the GitHub Actions workflow, allowing role-based builds to execute in parallel instead of sequentially under default GitHub Actions concurrency behavior.

Changes

Cohort / File(s)	Summary
Workflow Configuration .github/workflows/image_builds.yml	Removed strategy.max-parallel: 1 from the secure-build job, enabling parallel matrix execution across roles (access, collection, consensus, execution, observer, verification) instead of sequential processing.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 With one constraint removed so bold,
The parallel flows now can unfold!
Six roles together, no waiting in line,
Our builds now dance in perfect time! 🚀✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The PR title 'Fix secure image build to require single approval for all node types' accurately describes the main objective: removing max-parallel: 1 to restore single approval batching for concurrent matrix builds across all node types.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch jan/fix-secure-build-workflow

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[j1010001]

tested on this build: https://github.com/onflow/flow-go/actions/runs/24105973354, working as expected, one approval kicks off the build for all node types.