From 5ce0641ab2b132a5ea8d3b6f49e9fc048693becb Mon Sep 17 00:00:00 2001
From: Rhuan Barreto <rhuan@barreto.work>
Date: Sun, 31 May 2026 01:27:59 +0200
Subject: [PATCH 1/3] fix(ci): stop cancelling main branch CI runs on
 concurrent pushes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The concurrency group used `github.ref` for push events, so all main
branch runs shared the same group (`Validate-refs/heads/main`). With
`cancel-in-progress: true`, a second merge landing before the first
run finished would cancel it — observed in run 26697525843 where the
release 0.42.0 validation was killed by a Renovate merge 31s later.

Fix: use `github.sha` instead of `github.ref` so each push to main
gets its own concurrency group, and restrict `cancel-in-progress` to
pull_request events only (where superseding old runs is desired).

Signed-off-by: Rhuan Barreto <rhuan@barreto.work>
---
 .github/workflows/code-pull-request.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/code-pull-request.yml b/.github/workflows/code-pull-request.yml
index e54203ce..8521abc4 100644
--- a/.github/workflows/code-pull-request.yml
+++ b/.github/workflows/code-pull-request.yml
@@ -16,8 +16,8 @@ permissions:
   pull-requests: write
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
 env:
   ARCHGATE_TELEMETRY: "0"

From b558bec830e7769a7ee9954dc36a8c43cf05933e Mon Sep 17 00:00:00 2001
From: Rhuan Barreto <rhuan@barreto.work>
Date: Sun, 31 May 2026 01:31:18 +0200
Subject: [PATCH 2/3] fix(ci): apply same concurrency fix to CodeQL and
 Scorecard workflows
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Both workflows had the same cancel-in-progress bug on main branch
pushes. CodeQL had 4 cancelled runs, Scorecard had 2.

CodeQL: use github.sha + restrict cancel-in-progress to PRs (same
pattern as Validate workflow).

Scorecard: uses github.sha and disables cancel-in-progress entirely
since it only triggers on push/schedule (no PR trigger).

DCO is PR-only so cancel-in-progress is correct there — no change.

Signed-off-by: Rhuan Barreto <rhuan@barreto.work>
---
 .github/workflows/codeql.yml    | 4 ++--
 .github/workflows/scorecard.yml | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 135d7984..a970abf1 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -15,8 +15,8 @@ permissions:
   contents: read
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
 env:
   ARCHGATE_TELEMETRY: "0"
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 9d3ebf13..220ad15b 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -12,8 +12,8 @@ on:
 permissions: read-all
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
+  group: ${{ github.workflow }}-${{ github.sha }}
+  cancel-in-progress: false
 
 jobs:
   analysis:

From 84ea16941e7baa08b7fe7e35c0d0f5d0d59f8e1f Mon Sep 17 00:00:00 2001
From: Rhuan Barreto <rhuan@barreto.work>
Date: Sun, 31 May 2026 01:41:16 +0200
Subject: [PATCH 3/3] fix(ci): remove git pull --rebase that breaks release on
 rerun
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The release job ran `git pull --rebase origin main` before calling
simple-release-action. If any commit landed on main between the
release merge and the job reaching that step, HEAD moved past the
release commit. simple-release-action then checked HEAD, saw a
non-release commit, and silently skipped the release (exit 0).

This is what prevented v0.42.0 from being tagged: the Renovate npm
update merged 31s after the release, so `git pull` fast-forwarded
HEAD to that commit and the release action said "Condition failed."

Removing the step makes the job idempotent — the checkout already
has the release commit (the SHA that triggered the push event), and
the tag should point at that commit, not at tip-of-main.

Signed-off-by: Rhuan Barreto <rhuan@barreto.work>
---
 .github/workflows/release.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ceb547e1..8c0725ad 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -153,8 +153,6 @@ jobs:
       - name: Validate
         id: validate
         run: bun run validate
-      - name: Ensure main is up-to-date before release
-        run: git pull --rebase origin main
       - name: Release
         uses: TrigenSoftware/simple-release-action@e7293dad843693d8692d443c3f21b78338048f13 # v1.1.8
         with: