CI/GHA: cancel outdated CI runs on new PR changes

Avoid letting outdated CI runs continue if a PR receives
new changes. Outside a PR we let them continue running
by tying the concurrency to the commit hash instead.

Also only let one CodeQL or Hacktoberfest job run at a time.

Other CI platforms we use have this build in, but GitHub
unfortunately neither by default nor with a simple option.

This saves CI resources and therefore a little energy.

Approved-by: Daniel Stenberg
Approved-by: Max Dymond
Closes #9533

.github/workflows/codeql-analysis.yml

@@ -5,8 +5,6 @@
 name: CodeQL
 
 on:
-  # Trigger the workflow on push or pull requests, but only for the
-  # master branch
   push:
     branches:
     - master
@@ -17,6 +15,9 @@ on:
   schedule:
     - cron: '0 0 * * 4'
 
+concurrency:
+  group: ${{ github.workflow }}
+
 permissions:
   security-events: write
 

.github/workflows/fuzz.yml

@@ -5,8 +5,6 @@
 name: Fuzzer
 
 on:
-  # Trigger the workflow on push or pull requests, but only for the
-  # master branch
   push:
     branches:
     - master
@@ -15,6 +13,10 @@ on:
     branches:
     - master
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
 jobs:
   fuzzing:
     runs-on: ubuntu-latest

.github/workflows/hacktoberfest-accepted.yml

@@ -5,11 +5,15 @@
 name: Hacktoberfest
 
 on:
-  # run for all pushes to master branch
+  # this must not ever run on any other branch than master
   push:
     branches:
     - master
 
+concurrency:
+  # this should not run in parallel, so just run one at a time
+  group: ${{ github.workflow }}
+
 permissions:
   # requires issues AND pull-requests write permissions to edit labels on PRs!
   issues: write

.github/workflows/linkcheck.yml

@@ -19,6 +19,10 @@ on:
     - '.github/workflows/linkcheck.yml'
     - '**.md'
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
 jobs:
   # Docs: https://github.com/marketplace/actions/markdown-link-check
   check:

.github/workflows/linux.yml

@@ -5,8 +5,6 @@
 name: Linux
 
 on:
-  # Trigger the workflow on push or pull requests, but only for the
-  # master branch
   push:
     branches:
     - master
@@ -15,6 +13,10 @@ on:
     branches:
     - master
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
 jobs:
   autotools:
     name: ${{ matrix.build.name }}

.github/workflows/macos.yml

@@ -5,8 +5,6 @@
 name: macOS
 
 on:
-  # Trigger the workflow on push or pull requests, but only for the
-  # master branch
   push:
     branches:
     - master
@@ -15,6 +13,10 @@ on:
     branches:
     - master
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
 jobs:
   autotools:
     name: ${{ matrix.build.name }}

.github/workflows/msh3.yml

@@ -5,8 +5,6 @@
 name: Linux
 
 on:
-  # Trigger the workflow on push or pull requests, but only for the
-  # master branch
   push:
     branches:
     - master
@@ -15,6 +13,11 @@ on:
     branches:
     - master
 
+concurrency:
+  # Hardcoded workflow filename as workflow name above is just Linux again
+  group: msh3-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
 jobs:
   autotools:
     name: ${{ matrix.build.name }}

.github/workflows/ngtcp2-gnutls.yml

@@ -5,8 +5,6 @@
 name: ngtcp2
 
 on:
-  # Trigger the workflow on push or pull requests, but only for the
-  # master branch
   push:
     branches:
     - master
@@ -15,6 +13,11 @@ on:
     branches:
     - master
 
+concurrency:
+  # Hardcoded workflow filename as workflow name above is just Linux again
+  group: ngtcp2-gnutls-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
 jobs:
   autotools:
     name: ${{ matrix.build.name }}

.github/workflows/ngtcp2-wolfssl.yml

@@ -5,8 +5,6 @@
 name: ngtcp2
 
 on:
-  # Trigger the workflow on push or pull requests, but only for the
-  # master branch
   push:
     branches:
     - master
@@ -15,6 +13,11 @@ on:
     branches:
     - master
 
+concurrency:
+  # Hardcoded workflow filename as workflow name above is just Linux again
+  group: ngtcp2-wolfssl-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
 jobs:
   autotools:
     name: ${{ matrix.build.name }}

.github/workflows/openssl3.yml

@@ -5,8 +5,6 @@
 name: Linux
 
 on:
-  # Trigger the workflow on push or pull requests, but only for the
-  # master branch
   push:
     branches:
     - master
@@ -15,6 +13,11 @@ on:
     branches:
     - master
 
+concurrency:
+  # Hardcoded workflow filename as workflow name above is just Linux again
+  group: openssl3-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
 jobs:
   autotools:
     name: ${{ matrix.build.name }}

.github/workflows/proselint.yml

@@ -19,6 +19,10 @@ on:
     - '.github/workflows/proselint.yml'
     - '**.md'
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
 jobs:
   check:
     runs-on: ubuntu-latest

.github/workflows/reuse.yml

@@ -6,8 +6,6 @@
 name: REUSE compliance
 
 on:
-  # Trigger the workflow on push or pull requests, but only for the
-  # master branch
   push:
     branches:
     - master
@@ -16,6 +14,10 @@ on:
     branches:
     - master
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
 jobs:
   check:
     runs-on: ubuntu-latest

.github/workflows/torture.yml

@@ -5,8 +5,6 @@
 name: Linux
 
 on:
-  # Trigger the workflow on push or pull requests, but only for the
-  # master branch
   push:
     branches:
     - master
@@ -15,6 +13,11 @@ on:
     branches:
     - master
 
+concurrency:
+  # Hardcoded workflow filename as workflow name above is just Linux again
+  group: torture-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
 jobs:
   autotools:
     name: ${{ matrix.build.name }}

.github/workflows/wolfssl.yml

@@ -5,8 +5,6 @@
 name: Linux
 
 on:
-  # Trigger the workflow on push or pull requests, but only for the
-  # master branch
   push:
     branches:
     - master
@@ -15,6 +13,11 @@ on:
     branches:
     - master
 
+concurrency:
+  # Hardcoded workflow filename as workflow name above is just Linux again
+  group: wolfssl-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
 jobs:
   autotools:
     name: ${{ matrix.build.name }}