From cc6250e983b349d719fe47344efab3504eeb5dab Mon Sep 17 00:00:00 2001
From: Lukas Wuttke <lukas@tracebloc.io>
Date: Wed, 17 Jun 2026 18:02:06 +0200
Subject: [PATCH] ci: add concurrency cancellation + job timeouts to cli CI

Adds a per-ref concurrency group (cancels superseded PR runs only;
push/tag/schedule never cancelled) and timeout-minutes to every job, so
stale PR pushes stop wasting runner time and hung steps (kind boot, cosign)
can't run to the 6h default. No change to job behavior.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 .github/workflows/build.yml   | 8 ++++++++
 .github/workflows/e2e.yml     | 5 +++++
 .github/workflows/release.yml | 7 +++++++
 3 files changed, 20 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index d1c8dba..d927706 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -14,8 +14,13 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: build-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
 jobs:
   schema-drift:
+    timeout-minutes: 10
     name: Schema drift check
     # Verifies the embedded internal/schema/ingest.v1.json matches
     # tracebloc/data-ingestors' master. A green PR that silently
@@ -30,6 +35,7 @@ jobs:
         run: ./scripts/sync-schema.sh --check
 
   test:
+    timeout-minutes: 15
     name: Test
     runs-on: ubuntu-latest
     steps:
@@ -52,6 +58,7 @@ jobs:
         run: go test -race -cover ./...
 
   lint:
+    timeout-minutes: 10
     name: Lint
     runs-on: ubuntu-latest
     steps:
@@ -103,6 +110,7 @@ jobs:
           misspell -error .
 
   build:
+    timeout-minutes: 20
     name: Build (${{ matrix.os }}/${{ matrix.arch }})
     runs-on: ubuntu-latest
     strategy:
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index 660921c..10a0beb 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -21,8 +21,13 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: e2e-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
 jobs:
   integration:
+    timeout-minutes: 30
     name: Integration (kind)
     runs-on: ubuntu-latest
     # Skip on PRs that aren't explicitly opted in via the `e2e` label;
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1468f1c..0a8f889 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -44,8 +44,13 @@ permissions:
   contents: write  # create / update the GitHub Release
   id-token: write  # cosign keyless OIDC
 
+concurrency:
+  group: release-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
 jobs:
   release:
+    timeout-minutes: 20
     name: Build + sign + publish
     runs-on: ubuntu-latest
     strategy:
@@ -158,6 +163,7 @@ jobs:
           if-no-files-found: error
 
   publish:
+    timeout-minutes: 20
     name: Aggregate + create GitHub Release
     runs-on: ubuntu-latest
     needs: release
@@ -220,6 +226,7 @@ jobs:
   # add a HOMEBREW_TAP_TOKEN repo secret with write access to
   # tracebloc/homebrew-tap) when that repo exists.
   bump-homebrew-tap:
+    timeout-minutes: 20
     name: Bump Homebrew tap formula
     runs-on: ubuntu-latest
     needs: publish