Tighten workflow permissions and add concurrency guards

[shayancoin]

Summary

• add a shared concurrency group and explicit permissions to the CI workflow
• tighten docs workflow permissions while preserving publish rights for the deploy job
• declare minimal permissions and a workflow-level concurrency guard for the perf-light run

Testing

• not run

---

https://chatgpt.com/codex/tasks/task_e_68eefbf06e188330b99091c6303b0e42

Summary by CodeRabbit

• Chores
  • Improved CI reliability by canceling redundant runs when new commits arrive.
  • Tightened workflow permissions to enhance security, granting write access only where required.
  • Streamlined triggers to run on main pushes, reducing unnecessary builds.
  • Standardized concurrency settings across workflows for consistent behavior and faster feedback.

[coderabbitai]

Walkthrough

Updated GitHub Actions workflows to set explicit top-level permissions and concurrency policies, adjusted triggers for CI to push-on-main, added deploy-job permissions in docs, and moved per-job concurrency in perf-light to a top-level concurrency block.

Changes

Cohort / File(s)	Summary
CI workflow \.github/workflows/ci.yml	Added permissions (contents: read, actions: read, checks: write). Introduced top-level concurrency with group ${{ github.workflow }}-${{ github.ref }} and cancel-in-progress: true. Limited push trigger to main.
Docs workflow \.github/workflows/docs.yml	Changed top-level permissions from contents: write to contents: read. Added top-level concurrency with group ${{ github.workflow }}-${{ github.ref }} and cancel-in-progress: true. Added per-job permissions contents: write for deploy job.
Perf-light workflow \.github/workflows/perf-light.yml	Added top-level permissions contents: read. Added top-level concurrency with group ${{ github.workflow }}-${{ github.ref }} and cancel-in-progress: true. Removed per-job concurrency from k6 job.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant GH as GitHub (Workflow Dispatcher)
  participant WF as Workflow Run
  participant Q as Concurrency Group
  participant Job as Jobs (build/test/deploy)

  Dev->>GH: Push / PR event
  GH->>Q: Check group = ${workflow}-${ref}
  alt Another run in-progress
    Q-->>WF: Cancel in-progress (if same group)
  end
  GH->>WF: Start workflow with scoped permissions
  par CI/Docs/Perf-light
    WF->>Job: Run with top-level permissions
    note over Job: Docs deploy elevates to contents: write
  end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

A rabbit taps the workflow drum,
Concurrency hums—old runs succumb.
Permissions trimmed, the badges gleam,
Deploy gets write to ship the dream.
Three YAML burrows, neat and tight—
Hop, commit, and merge by night. 🐇✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The PR description uses 'Summary' and 'Testing' headings instead of the repository’s required 'PR Type', 'Short Description', and 'Tests Added' sections, resulting in missing information about the change classification and test coverage. Because these mandatory template fields are omitted, reviewers cannot quickly determine the type of change or whether tests were added. The description therefore does not conform to the repository’s PR template.	Please update the PR description to include the required template sections: a 'PR Type' indicating whether this is a Feature, Fix, Documentation, or Other change, a concise 'Short Description' summarizing the modifications, and a 'Tests Added' section detailing any new tests or confirming none were added. Map the existing 'Summary' content under 'Short Description' and clarify test status in 'Tests Added' to align with the template and support reviewer clarity.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title clearly captures the primary change by stating that workflow permissions are being tightened and concurrency guards are being added, which directly reflects the modifications in the CI, docs, and perf-light workflows. It is concise, specific, and uses descriptive language without extraneous details. This enables teammates to quickly understand the purpose of the pull request.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch codex/update-github-workflows-with-concurrency-and-permissions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting

• @codex fix this CI failure
• @codex address that feedback

[chatgpt-codex-connector]

Restore actions scope for perf-light artifacts

The new workflow-level permissions restrict the token to contents: read only, which implicitly sets the actions scope to none. The k6 job still calls actions/upload-artifact@v4 to publish the perf summary, and that action requires actions: write on the GITHUB_TOKEN. In its current state the workflow will fail on the upload step with "Resource not accessible by integration" whenever the perf-light job runs. Consider adding back actions: write (or removing the artifact upload) so the job can complete.

Useful? React with 👍 / 👎.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.github/workflows/perf-light.yml (1)

40-86: Indent heredoc terminator to match run-block indentation (.github/workflows/perf-light.yml:84)
The closing PY must be indented exactly as the python - <<'PY' line under run: | so the YAML block parses correctly.

.github/workflows/docs.yml (1)

10-45: Use recursive globs (**/*.ext) or a brace pattern for paths
The current '**.py', '**.ts', etc. won’t match files in subdirectories. Under both push.paths and pull_request.paths, replace those entries with either individual **/*.ext globs or collapse into:

- '**/*.{py,ts,tsx,js,jsx,html,md,png,svg}'

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 102fc53 and e0685dc.

📒 Files selected for processing (3)

• .github/workflows/ci.yml (1 hunks)
• .github/workflows/docs.yml (2 hunks)
• .github/workflows/perf-light.yml (1 hunks)

🧰 Additional context used

🪛 GitHub Actions: CI

.github/workflows/perf-light.yml

[error] 45-46: check-yaml: Could not parse simple key: missing ':' in perf-light.yml at lines 45-46.

---

[error] 1-1: check-yaml: YAML syntax error detected in workflow configuration.

.github/workflows/ci.yml

[error] 1-1: Process completed with exit code 1. The CI pipeline failed due to multiple lint, type, and YAML configuration errors.

🔇 Additional comments (4)

.github/workflows/ci.yml (1)

8-10: Concurrency group looks good

Workflow+ref grouping with cancel-in-progress is a solid default for CI.

If you intend different behavior for PRs vs. pushes, consider ${{ github.workflow }}-${{ github.event_name }}-${{ github.ref }} to avoid cross-cancellation between PR and push runs on the same ref.

.github/workflows/docs.yml (2)

4-8: Good: minimal top-level permissions and concurrency guard

Contents read at top-level and deploy-only write scoped to the job is correct. Concurrency setting is appropriate.

---

98-99: Deploy job permission scope is correct

Granting contents: write only for the deploy job aligns with least-privilege best practices.

.github/workflows/perf-light.yml (1)

3-9: Good: minimal permissions and workflow-level concurrency

Contents read and a workflow+ref concurrency group with cancel-in-progress is appropriate.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Trim workflow-level permissions to least privilege

actions: read and checks: write are rarely needed at the workflow level. Prefer only contents: read and elevate per-job if a step truly requires more.

 permissions:
   contents: read
-  actions: read
-  checks: write

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	permissions:
	contents: read
	actions: read
	checks: write
	permissions:
	contents: read

🤖 Prompt for AI Agents

In .github/workflows/ci.yml around lines 3 to 6, the workflow-level permissions
are too broad (actions: read and checks: write); remove those two entries and
keep only contents: read at the workflow level, then add per-job permissions
blocks for any job that actually requires actions: read or checks: write so
privileges are least-privilege and scoped to only the jobs/steps that need them.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Use latest checkout action for consistency

CI/docs use actions/checkout@v5. Align here too.

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- uses: actions/checkout@v4
	- uses: actions/checkout@v5

🤖 Prompt for AI Agents

In .github/workflows/perf-light.yml around line 18 the workflow pins
actions/checkout to v4; update the checkout action reference to
actions/checkout@v5 to match other CI/docs for consistency and ensure any v5
fixes/features are used by replacing the version string.