From a2ea65c35b8e8861adbf22a0f3c1965a80d4ac62 Mon Sep 17 00:00:00 2001
From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com>
Date: Tue, 26 May 2026 09:59:10 +0100
Subject: [PATCH] ci: add concurrency blocks to 5 read-only workflows + drop
 dead master-branch triggers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Five workflows in this repo run on every PR push but lack a concurrency
block. When a contributor force-pushes or rapid-pushes to a PR branch,
each new push spawns a fresh run while the previous one keeps consuming
a runner slot — they pile up and serialise rather than cancelling.

The repo already has the canonical pattern in codeql.yml,
governance.yml, hypatia-scan.yml, panic-attack.yml, and
scorecard-enforcer.yml:

  concurrency:
    group: ${{ github.workflow }}-${{ github.ref }}
    cancel-in-progress: true

Apply the same pattern (with the standard "read-only check workflows"
comment) to:

  - ci.yml
  - semgrep.yml
  - stdlib-naming.yml
  - spark-theatre-gate.yml
  - workflow-linter.yml

All five are read-only check workflows (no publish, no mutation), so
cancel-in-progress is always safe — the superseded run was about to
report a stale result anyway.

Drive-by: drop `master` from the branch triggers in semgrep.yml and
spark-theatre-gate.yml. The repo's default and only long-lived branch
is `main`; the `master` entries were dead.

Refs estate CI hygiene audit 2026-05-26.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yml                 |  6 ++++++
 .github/workflows/semgrep.yml            | 10 ++++++++--
 .github/workflows/spark-theatre-gate.yml |  8 +++++++-
 .github/workflows/stdlib-naming.yml      |  6 ++++++
 .github/workflows/workflow-linter.yml    |  6 ++++++
 5 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1e5c8eee..916ecd28 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -10,6 +10,12 @@ on:
 permissions:
   contents: read
 
+# Actions concurrency pool. Applied only to read-only check workflows
+# (no publish/mutation), so cancelling a superseded run is always safe.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
index f272e06f..58d2048e 100644
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@@ -3,15 +3,21 @@ name: Semgrep SAST
 
 on:
   push:
-    branches: [main, master]
+    branches: [main]
   pull_request:
-    branches: [main, master]
+    branches: [main]
   schedule:
     - cron: '0 5 * * 1'
   workflow_dispatch:
 
 permissions: read-all
 
+# Actions concurrency pool. Applied only to read-only check workflows
+# (no publish/mutation), so cancelling a superseded run is always safe.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   semgrep:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/spark-theatre-gate.yml b/.github/workflows/spark-theatre-gate.yml
index e6899fbf..fa536904 100644
--- a/.github/workflows/spark-theatre-gate.yml
+++ b/.github/workflows/spark-theatre-gate.yml
@@ -8,11 +8,17 @@ name: SPARK Theatre Gate
 on:
   pull_request:
   push:
-    branches: [main, master]
+    branches: [main]
 
 permissions:
   contents: read
 
+# Actions concurrency pool. Applied only to read-only check workflows
+# (no publish/mutation), so cancelling a superseded run is always safe.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   spark-theatre-gate:
     uses: hyperpolymath/standards/.github/workflows/spark-theatre-gate.yml@462003782f3ebb93ea763e81d0d199ce13ef7d73
diff --git a/.github/workflows/stdlib-naming.yml b/.github/workflows/stdlib-naming.yml
index 8a262d50..3f3cb37a 100644
--- a/.github/workflows/stdlib-naming.yml
+++ b/.github/workflows/stdlib-naming.yml
@@ -20,6 +20,12 @@ on:
 permissions:
   contents: read
 
+# Actions concurrency pool. Applied only to read-only check workflows
+# (no publish/mutation), so cancelling a superseded run is always safe.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   enforce-lowercase-stdlib:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/workflow-linter.yml b/.github/workflows/workflow-linter.yml
index 02b2e76e..99968724 100644
--- a/.github/workflows/workflow-linter.yml
+++ b/.github/workflows/workflow-linter.yml
@@ -12,6 +12,12 @@ on:
 
 permissions: read-all
 
+# Actions concurrency pool. Applied only to read-only check workflows
+# (no publish/mutation), so cancelling a superseded run is always safe.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   lint-workflows:
     runs-on: ubuntu-latest