ci(workflows): flip cancel-in-progress on 9 low-risk scheduled workflows

Following agent-reviewer HOLD findings on PR #1947, flip cancel-in-progress: false → true on the 9 LOW-RISK workflows: - sweep-aws-secrets, sweep-cf-orphans, sweep-cf-tunnels, sweep-stale-e2e-orgs - railway-pin-audit, ci-required-drift, continuous-synth-e2e - e2e-staging-sanity, e2e-legacy-advisory These are idempotent sweeps, read-only audits, or bounded synth jobs that do NOT emit branch-protection required contexts. Cancelling and re-running is safe. The 6 HIGH-RISK per-SHA workflows are intentionally untouched: - e2e-api, e2e-chat, e2e-peer-visibility, e2e-staging-canvas - handlers-postgres-integration, harness-replays Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-27 16:29:21 +00:00
12 changed files with 32 additions and 25 deletions
@@ -642,7 +642,7 @@ def load_config(path: str) -> dict[str, Any]:
        # requiring the dep, so the ignore is safe: if yaml loads, we use it;
        # otherwise we fall back silently.
        import yaml  # type: ignore[import-not-found]
-        with open(path, encoding="utf-8") as f:
+        with open(path) as f:
            return yaml.safe_load(f)
    except ImportError:
        return _load_config_minimal(path)
@@ -656,7 +656,7 @@ def _load_config_minimal(path: str) -> dict[str, Any]:
    item map: scalars + lists of scalars. Does NOT support nested lists,
    YAML anchors, multi-doc, or flow style.
    """
-    with open(path, encoding="utf-8") as f:
+    with open(path) as f:
        lines = f.readlines()
    return _parse_minimal_yaml(lines)

@@ -33,7 +33,7 @@ def scenario() -> str:
    p = os.path.join(STATE_DIR, "scenario")
    if not os.path.isfile(p):
        return "T1_success"
-    with open(p, encoding="utf-8") as f:
+    with open(p) as f:
        return f.read().strip()


@@ -40,7 +40,7 @@ def scenario() -> str:
    p = os.path.join(STATE_DIR, "scenario")
    if not os.path.isfile(p):
        return "T1_pr_open"
-    with open(p, encoding="utf-8") as f:
+    with open(p) as f:
        return f.read().strip()


@@ -52,12 +52,12 @@ permissions:
  contents: read
  issues: write

-# Serialise — two simultaneous drift runs would duel on the issue
-# create/update path. The audit is idempotent, but parallel POSTs
-# can produce duplicate comments before the title-search dedup wins.
+# Audit is idempotent — cancelling an overlapping run and starting
+# fresh avoids duplicate comments and ensures the latest branch state
+# is evaluated.
 concurrency:
  group: ci-required-drift
-  cancel-in-progress: false
+  cancel-in-progress: true

 jobs:
  drift:
@@ -87,12 +87,11 @@ permissions:
  # minimal until that's actually wanted.

 # Serialize so two firings can never overlap. Cron firing every 20 min
-# but scripts conservatively bounded at 10 min — overlap shouldn't
-# happen in steady state, but if a run hangs we don't want N more
-# stacking up.
+# If a run hangs we don't want N more stacking up.
+# Cancelling and starting fresh is preferred for bounded synth tests.
 concurrency:
  group: continuous-synth-e2e
-  cancel-in-progress: false
+  cancel-in-progress: true

 env:
  GITHUB_SERVER_URL: https://git.moleculesai.app
@@ -13,9 +13,11 @@ on:
    - cron: '15 9 * * *'
  workflow_dispatch:

+# Advisory-only check — cancelling and re-running is safe.
+# Prefer fresh run over queued stale run.
 concurrency:
  group: e2e-legacy-advisory
-  cancel-in-progress: false
+  cancel-in-progress: true

 permissions:
  contents: read
@@ -24,9 +24,11 @@ on:
 env:
  GITHUB_SERVER_URL: https://git.moleculesai.app

+# Lightweight sanity check — cancelling and re-running is safe.
+# Prefer fresh run over queued stale run.
 concurrency:
  group: e2e-staging-sanity
-  cancel-in-progress: false
+  cancel-in-progress: true

 permissions:
  issues: write
@@ -38,9 +38,11 @@ on:
 env:
  GITHUB_SERVER_URL: https://git.moleculesai.app

+# Audit is read-only — cancelling and re-running is safe.
+# Prefer fresh run over queued stale run.
 concurrency:
  group: railway-pin-audit
-  cancel-in-progress: false
+  cancel-in-progress: true

 permissions:
  issues: write
@@ -47,10 +47,11 @@ on:
    # 1.22.6 rejects workflow_dispatch.inputs.
    - cron: '30 * * * *'
  workflow_dispatch:
-# Don't let two sweeps race the same AWS account.
+# Sweeps are idempotent — cancelling and re-running from scratch is safe.
+# Prefer fresh run over queued stale run.
 concurrency:
  group: sweep-aws-secrets
-  cancel-in-progress: false
+  cancel-in-progress: true

 permissions:
  contents: read
@@ -54,11 +54,11 @@ on:
  # AND gate the sweep step with `if: github.event_name != 'merge_group'`
  # so merge-queue evals report success without actually running.

-# Don't let two sweeps race the same zone. workflow_dispatch during a
-# scheduled run would otherwise issue duplicate DELETE calls.
+# CF deletes are idempotent — cancelling and re-running is safe.
+# Prefer fresh run over queued stale run.
 concurrency:
  group: sweep-cf-orphans
-  cancel-in-progress: false
+  cancel-in-progress: true

 permissions:
  contents: read
@@ -39,10 +39,11 @@ on:
    # Hourly at :45 — offset from sweep-cf-orphans (:15) so the two
    # janitors don't issue parallel CF API bursts at the same minute.
    - cron: '45 * * * *'
-# Don't let two sweeps race the same account.
+# Sweeps are idempotent — cancelling and re-running from scratch is safe.
+# Prefer fresh run over queued stale run.
 concurrency:
  group: sweep-cf-tunnels
-  cancel-in-progress: false
+  cancel-in-progress: true

 permissions:
  contents: read
@@ -47,11 +47,11 @@ on:
    # See molecule-controlplane#420 for the leak-class accounting that
    # motivated this tightening.
    - cron: '*/15 * * * *'
-# Don't let two sweeps fight. Cron + workflow_dispatch could overlap
-# on a manual trigger; queue rather than parallel-delete.
+# Org cleanup is idempotent — cancelling and re-running is safe.
+# Prefer fresh run over queued stale run.
 concurrency:
  group: sweep-stale-e2e-orgs
-  cancel-in-progress: false
+  cancel-in-progress: true

 permissions:
  contents: read