[#13021][infra] Add concurrency control and permissions to PR check workflow#13022
[#13021][infra] Add concurrency control and permissions to PR check workflow#13022sandeshwani wants to merge 4 commits intoNVIDIA:mainfrom
Conversation
📝 WalkthroughWalkthroughThe PR check workflow now includes concurrency control to cancel in-progress runs, explicit least-privilege permissions limiting token access to pull requests and contents, and Python runtime updated from 3.10 to 3.12. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/pr-check.yml:
- Around line 22-24: The concurrency group currently uses github.head_ref which
can collide across forks; update the group expression (the concurrency: group
value) to use the PR number instead by replacing the github.head_ref fallback
with github.event.pull_request.number (and keep github.run_id as a fallback for
non-PR runs) so cancellation is scoped to the same pull request.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: f4ca7a1c-c86a-48f2-8d75-36c5cf714dc1
📒 Files selected for processing (1)
.github/workflows/pr-check.yml
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | ||
| cancel-in-progress: true |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
For GitHub Actions pull_request workflows, is github.head_ref unique per PR across forks? What concurrency.group expression is recommended to avoid cross-PR cancellations?
💡 Result:
No, github.head_ref is not unique per PR across forks. It is the name of the source branch (head_ref) in the PR, which is not unique—different PRs (from same repo or forks) can use the same branch name like "feature-branch". Using it in concurrency.group would cause runs from different PRs with the same branch name to share the group and cancel each other. To avoid cross-PR cancellations, use a concurrency.group that incorporates the PR number, which is unique per PR regardless of forks. Recommended expression (at workflow level): concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true This cancels previous runs within the same PR (on new commits) but not across different PRs. Include github.workflow to scope to the same workflow if multiple workflows exist. The PR number is available in pull_request events from forks.
Citations:
- 1: https://docs.github.com/en/actions/using-jobs/using-concurrency
- 2: https://docs.github.com/en/actions/reference/contexts-reference
- 3: GitHub Actions: Examples for canceling in-progress jobs / runs with concurrency groups lead to confusing behavior github/docs#11243
- 4: https://stackoverflow.com/questions/66335225/how-to-cancel-previous-runs-in-the-pr-when-you-push-new-commitsupdate-the-curre
- 5: https://oneuptime.com/blog/post/2026-01-25-github-actions-concurrency-control/view
- 6: https://oneuptime.com/blog/post/2025-12-20-concurrency-control-github-actions/view
🏁 Script executed:
cat -n .github/workflows/pr-check.yml | sed -n '20,30p'Repository: NVIDIA/TensorRT-LLM
Length of output: 363
Scope concurrency key to PR number, not head_ref.
On line 23, using github.head_ref can cancel runs for different PRs that share the same branch name (common with forks). Use PR number so cancellation is limited to the same PR.
Suggested fix
concurrency:
- group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+ group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
| cancel-in-progress: true | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/pr-check.yml around lines 22 - 24, The concurrency group
currently uses github.head_ref which can collide across forks; update the group
expression (the concurrency: group value) to use the PR number instead by
replacing the github.head_ref fallback with github.event.pull_request.number
(and keep github.run_id as a fallback for non-PR runs) so cancellation is scoped
to the same pull request.
svc-trtllm-gh-bot
added
the
Community want to contribute
…kflow Add concurrency group to cancel stale in-progress runs on rapid PR updates, declare least-privilege permissions, and bump Python from 3.10 to 3.12 for consistency with precommit-check.yml. Signed-off-by: Sandesh Wani <sandeshwani@gmail.com>
Signed-off-by: Sandesh Wani <sandeshwani@gmail.com>
Signed-off-by: Sandesh Wani <sandeshwani@gmail.com>
Signed-off-by: Sandesh Wani <sandeshwani@gmail.com>
sandeshwani
force-pushed
the
feat/pr-check-ci-improvements
branch
from
ebd4af1 to
c720982
Compare
2 participants
Summary
concurrencygroup to cancel stale in-progress runs on rapid PR updatespermissions(read-only for pull-requests and contents)precommit-check.ymlTest plan
Closes #13021
Summary by CodeRabbit