From: Arran Cudbard-Bell Date: Fri, 15 May 2026 02:15:11 +0000 (-0600) Subject: Drop fork-side credentials, replace fkirc with native concurrency X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e37e965062b2eb29573eaba0427c93800a55aada;p=thirdparty%2Ffreeradius-server.git Drop fork-side credentials, replace fkirc with native concurrency Two unrelated CI fixes batched: 1. The docker-public and crossbuild-public variants had credentials: blocks referencing org-level vars/secrets that aren't available on fork CI. Empty values fail workflow template validation ("Unexpected value ''"). Drop the credentials block from the public variants - they fall back to anonymous Docker Hub pulls, which is fine for fork CI on GH-hosted runners (many egress IPs, per-IP limit rarely binds). 2. Replace fkirc/skip-duplicate-actions@v5.3.1 with workflow-level concurrency: groups in ci.yml, ci-macos.yml, and ci-sanitizers.yml. Native GH Actions feature, runner-builtin, no Node 20 deprecation warning, no third-party action to chase. Slightly different semantics (cancels older queued/in-flight runs of the same workflow on the same ref, vs fkirc's diff-based skip) - same practical effect for the FreeRADIUS use case. ci.yml and ci-sanitizers.yml's pre-ci job still exists because it exposes selfhosted/docker_prefix outputs the matrix consumes; its only step is now a no-op. ci-macos.yml's pre-ci had no other purpose so it's gone entirely. --- diff --git a/.github/workflows/ci-macos.yml b/.github/workflows/ci-macos.yml index 90905322091..a1073ef4c54 100644 --- a/.github/workflows/ci-macos.yml +++ b/.github/workflows/ci-macos.yml @@ -8,6 +8,15 @@ on: - debug-fuzzer-** pull_request: +# +# Cancel any in-flight or queued run of this workflow on the same +# ref when a new commit lands. Replaces fkirc/skip-duplicate-actions +# for the "don't waste CI on a stale push" use case. +# +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + env: ASAN_OPTIONS: symbolize=1 detect_leaks=0 detect_stack_use_after_return=1 LSAN_OPTIONS: fast_unwind_on_malloc=0:malloc_context_size=50 @@ -26,19 +35,8 @@ env: GH_ACTIONS: 1 jobs: - pre-ci: - runs-on: ubuntu-latest - # Map a step output to a job output - outputs: - should_skip: ${{ steps.skip_check.outputs.should_skip }} - steps: - - id: skip_check - uses: fkirc/skip-duplicate-actions@v5.3.1 - ci: timeout-minutes: 90 - needs: pre-ci - if: ${{ needs.pre-ci.outputs.should_skip != 'true' }} runs-on: ${{ matrix.env.OS }} diff --git a/.github/workflows/ci-sanitizers.yml b/.github/workflows/ci-sanitizers.yml index 81a692fe17b..ae470d62839 100644 --- a/.github/workflows/ci-sanitizers.yml +++ b/.github/workflows/ci-sanitizers.yml @@ -8,6 +8,15 @@ on: - debug-fuzzer-** pull_request: +# +# Cancel any in-flight or queued run of this workflow on the same +# ref when a new commit lands. Replaces fkirc/skip-duplicate-actions +# for the "don't waste CI on a stale push" use case. +# +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + env: ASAN_OPTIONS: symbolize=1 detect_leaks=1 detect_stack_use_after_return=1 LSAN_OPTIONS: fast_unwind_on_malloc=0:malloc_context_size=50 @@ -30,19 +39,19 @@ env: jobs: pre-ci: runs-on: ubuntu-latest - # Map a step output to a job output + # No skip-duplicate logic here any more - workflow-level + # concurrency: above handles that natively. This job exists only + # to expose the selfhosted/docker_prefix expressions as outputs + # so the matrix below stays readable. outputs: - should_skip: ${{ steps.skip_check.outputs.should_skip }} selfhosted: ${{ github.repository_owner == 'FreeRADIUS' && '1' || '0' }} docker_prefix: ${{ github.repository_owner == 'FreeRADIUS' && 'docker.internal.networkradius.com/' || '' }} steps: - - id: skip_check - uses: fkirc/skip-duplicate-actions@v5.3.1 + - run: 'true' ci-sanitizers: timeout-minutes: 150 needs: pre-ci - if: ${{ needs.pre-ci.outputs.should_skip != 'true' }} runs-on: ${{ matrix.os.runs_on }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2da4f14d12c..373247a440a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,6 +8,15 @@ on: - debug-fuzzer-** pull_request: +# +# Cancel any in-flight or queued run of this workflow on the same +# ref when a new commit lands. Replaces fkirc/skip-duplicate-actions +# for the "don't waste CI on a stale push" use case. +# +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + env: ASAN_OPTIONS: symbolize=1 detect_leaks=1 detect_stack_use_after_return=1 LSAN_OPTIONS: fast_unwind_on_malloc=0:malloc_context_size=50 @@ -30,19 +39,19 @@ env: jobs: pre-ci: runs-on: ubuntu-latest - # Map a step output to a job output + # No skip-duplicate logic here any more - workflow-level + # concurrency: above handles that natively. This job exists only + # to expose the selfhosted/docker_prefix expressions as outputs + # so the matrix below stays readable. outputs: - should_skip: ${{ steps.skip_check.outputs.should_skip }} selfhosted: ${{ github.repository_owner == 'FreeRADIUS' && '1' || '0' }} docker_prefix: ${{ github.repository_owner == 'FreeRADIUS' && 'docker.internal.networkradius.com/' || '' }} steps: - - id: skip_check - uses: fkirc/skip-duplicate-actions@v5.3.1 + - run: 'true' ci: timeout-minutes: 150 needs: pre-ci - if: ${{ needs.pre-ci.outputs.should_skip != 'true' }} runs-on: ${{ matrix.os.runs_on }} diff --git a/.github/workflows/crossbuild.yml b/.github/workflows/crossbuild.yml index a75d3b5eebf..82d682bbd3b 100644 --- a/.github/workflows/crossbuild.yml +++ b/.github/workflows/crossbuild.yml @@ -169,14 +169,14 @@ jobs: dind: image: docker:dind # - # Authenticate the host docker daemon's pull of the dind - # service container so we don't hit Docker Hub's anonymous - # rate limit. Goes away once we switch to the internal - # self-hosted-docker-dind image. + # No credentials: block here - this variant runs on fork CI + # where the org-level DOCKERHUB_READ_* vars/secrets aren't + # available, and a credentials: block with empty values fails + # workflow template validation. The host docker daemon does + # an anonymous pull of docker:dind here; GH-hosted runners + # have many egress IPs so the per-IP Hub limit is rarely an + # issue for fork builds. # - credentials: - username: ${{ vars.DOCKERHUB_READ_USER }} - password: ${{ secrets.DOCKERHUB_READ_KEY }} options: --privileged env: DOCKER_TLS_CERTDIR: "" diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 2e98dd3f2c9..c014b08e810 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -157,14 +157,14 @@ jobs: dind: image: docker:dind # - # Authenticate the host docker daemon's pull of the dind - # service container so we don't hit Docker Hub's anonymous - # rate limit. Goes away once we switch to the internal - # self-hosted-docker-dind image. + # No credentials: block here - this variant runs on fork CI + # where the org-level DOCKERHUB_READ_* vars/secrets aren't + # available, and a credentials: block with empty values fails + # workflow template validation. The host docker daemon does + # an anonymous pull of docker:dind here; GH-hosted runners + # have many egress IPs so the per-IP Hub limit is rarely an + # issue for fork builds. # - credentials: - username: ${{ vars.DOCKERHUB_READ_USER }} - password: ${{ secrets.DOCKERHUB_READ_KEY }} options: --privileged env: DOCKER_TLS_CERTDIR: ""