diff --git a/.github/workflows/guix-nix-policy.yml b/.github/workflows/guix-nix-policy.yml index dd21a8d..197c4dc 100644 --- a/.github/workflows/guix-nix-policy.yml +++ b/.github/workflows/guix-nix-policy.yml @@ -1,6 +1,15 @@ # SPDX-License-Identifier: MPL-2.0-or-later name: Guix/Nix Package Policy -on: [push, pull_request] +on: + push: + branches: [main, master] + pull_request: + +# Estate guardrail: scope push to default branches (PR fires once, not +# push+PR) and cancel superseded runs. Safe — read-only PR check. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true permissions: contents: read jobs: diff --git a/.github/workflows/makefile-blocker.yml b/.github/workflows/makefile-blocker.yml index d6f0e1b..b9fd347 100644 --- a/.github/workflows/makefile-blocker.yml +++ b/.github/workflows/makefile-blocker.yml @@ -1,6 +1,15 @@ # SPDX-License-Identifier: MPL-2.0-or-later name: Makefile Blocker -on: [push, pull_request] +on: + push: + branches: [main, master] + pull_request: + +# Estate guardrail: scope push to default branches (PR fires once, not +# push+PR) and cancel superseded runs. Safe — read-only PR check. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true permissions: contents: read jobs: diff --git a/.github/workflows/npm-bun-blocker.yml b/.github/workflows/npm-bun-blocker.yml index 2fd984f..03be33e 100644 --- a/.github/workflows/npm-bun-blocker.yml +++ b/.github/workflows/npm-bun-blocker.yml @@ -1,6 +1,15 @@ # SPDX-License-Identifier: MPL-2.0 name: NPM/Bun Blocker -on: [push, pull_request] +on: + push: + branches: [main, master] + pull_request: + +# Estate guardrail: scope push to default branches (PR fires once, not +# push+PR) and cancel superseded runs. Safe — read-only PR check. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true permissions: contents: read diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml index f6f7ab5..9ffe078 100644 --- a/.github/workflows/quality.yml +++ b/.github/workflows/quality.yml @@ -1,6 +1,15 @@ # SPDX-License-Identifier: MPL-2.0-or-later name: Code Quality -on: [push, pull_request] +on: + push: + branches: [main, master] + pull_request: + +# Estate guardrail: scope push to default branches (PR fires once, not +# push+PR) and cancel superseded runs. Safe — read-only PR check. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true permissions: contents: read diff --git a/.github/workflows/security-policy.yml b/.github/workflows/security-policy.yml index 193933c..aa44af0 100644 --- a/.github/workflows/security-policy.yml +++ b/.github/workflows/security-policy.yml @@ -1,6 +1,15 @@ # SPDX-License-Identifier: MPL-2.0-or-later name: Security Policy -on: [push, pull_request] +on: + push: + branches: [main, master] + pull_request: + +# Estate guardrail: scope push to default branches (PR fires once, not +# push+PR) and cancel superseded runs. Safe — read-only PR check. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true permissions: contents: read jobs: diff --git a/.github/workflows/ts-blocker.yml b/.github/workflows/ts-blocker.yml index 6453445..e92d2d9 100644 --- a/.github/workflows/ts-blocker.yml +++ b/.github/workflows/ts-blocker.yml @@ -1,6 +1,15 @@ # SPDX-License-Identifier: MPL-2.0 name: TypeScript/JavaScript Blocker -on: [push, pull_request] +on: + push: + branches: [main, master] + pull_request: + +# Estate guardrail: scope push to default branches (PR fires once, not +# push+PR) and cancel superseded runs. Safe — read-only PR check. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true permissions: contents: read