diff --git a/.github/workflows/container-policy.yml b/.github/workflows/container-policy.yml index 28207e3..582dba9 100644 --- a/.github/workflows/container-policy.yml +++ b/.github/workflows/container-policy.yml @@ -1,6 +1,15 @@ # SPDX-License-Identifier: AGPL-3.0-or-later name: Container Policy -on: [push, pull_request] +on: + push: + branches: [main, master] + pull_request: + +# Estate guardrail: scope push to default branches (PR fires once, not +# push+PR) and cancel superseded runs. Safe — read-only PR check. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true permissions: read-all diff --git a/.github/workflows/guix-nix-policy.yml b/.github/workflows/guix-nix-policy.yml index 3a27f56..3f7b334 100644 --- a/.github/workflows/guix-nix-policy.yml +++ b/.github/workflows/guix-nix-policy.yml @@ -1,6 +1,15 @@ # SPDX-License-Identifier: AGPL-3.0-or-later name: Guix/Nix Package Policy -on: [push, pull_request] +on: + push: + branches: [main, master] + pull_request: + +# Estate guardrail: scope push to default branches (PR fires once, not +# push+PR) and cancel superseded runs. Safe — read-only PR check. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true permissions: read-all diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml index 68972c5..4898668 100644 --- a/.github/workflows/quality.yml +++ b/.github/workflows/quality.yml @@ -1,6 +1,15 @@ # SPDX-License-Identifier: AGPL-3.0-or-later name: Code Quality -on: [push, pull_request] +on: + push: + branches: [main, master] + pull_request: + +# Estate guardrail: scope push to default branches (PR fires once, not +# push+PR) and cancel superseded runs. Safe — read-only PR check. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true permissions: read-all diff --git a/.github/workflows/security-policy.yml b/.github/workflows/security-policy.yml index be11d4b..2e0044b 100644 --- a/.github/workflows/security-policy.yml +++ b/.github/workflows/security-policy.yml @@ -1,6 +1,15 @@ # SPDX-License-Identifier: AGPL-3.0-or-later name: Security Policy -on: [push, pull_request] +on: + push: + branches: [main, master] + pull_request: + +# Estate guardrail: scope push to default branches (PR fires once, not +# push+PR) and cancel superseded runs. Safe — read-only PR check. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true permissions: read-all