From 154c67b75459ec97344945ea206b88c17efc60ae Mon Sep 17 00:00:00 2001
From: core-devops <core-devops@agents.moleculesai.app>
Date: Mon, 18 May 2026 17:22:47 -0700
Subject: [PATCH] ci(gate-check-v3): add per-PR concurrency to prevent OOM
 fan-out
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Sibling class-audit fix per
`reference_operator_host_python3_oom_storm_2026_05_18`.
gate-check-v3 fires on `pull_request_target` (opened/edited/
synchronize/reopened) + hourly cron + workflow_dispatch — `edited`
events fan out on PR-body edits and stack runs of the same
workflow_id on the same PR.

Group key falls back through pull_request.number → issue.number →
github.ref so schedule + manual ticks coalesce per-ref.

No `cancel-in-progress` per
`feedback_janitor_supersede_must_group_by_workflow_id` — the
gate-check is `continue-on-error: true` + idempotent so sequential
ticks are strictly safe.
---
 .gitea/workflows/gate-check-v3.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/.gitea/workflows/gate-check-v3.yml b/.gitea/workflows/gate-check-v3.yml
index 27aba8798..0ee216a43 100644
--- a/.gitea/workflows/gate-check-v3.yml
+++ b/.gitea/workflows/gate-check-v3.yml
@@ -32,6 +32,24 @@ on:
   # iterating all open PRs when PR_NUMBER is empty.
   workflow_dispatch:
 
+# Serialize per PR (or per repo for schedule/manual ticks) to prevent
+# the fan-out OOM class documented in
+# `reference_operator_host_python3_oom_storm_2026_05_18`. `edited`
+# events fan out on every PR-body edit; combined with the hourly cron
+# and synchronize bursts this workflow can stack runs of the same
+# workflow_id on the same PR (each ~4GB anon-RSS) and trip the
+# `--memory=4g --memory-swap=8g` per-container cap.
+#
+# NO `cancel-in-progress` (defaults to false). Per
+# `feedback_janitor_supersede_must_group_by_workflow_id`, cancelling
+# in-flight runs of any required-check-shaped workflow risks the
+# dismiss_stale_approvals + empty-commit-rerun dance (Gitea 1.22.6 has
+# no REST rerun). The gate-check is `continue-on-error: true` +
+# idempotent (POST/PATCH gate-check comment by context) so sequential
+# ticks are strictly safe.
+concurrency:
+  group: gate-check-v3-${{ github.event.pull_request.number || github.event.issue.number || github.ref }}
+
 permissions:
   # read: contents — for checkout (base ref, not PR head for security)
   # read: pull-requests — for reading PR info via API
-- 
2.52.0