From 0766169b420e3f4d92d785e1d959ffaa5d535631 Mon Sep 17 00:00:00 2001
From: "Molecule AI Dev Engineer A (Kimi)"
 <dev-engineer-a-kimi@agents.moleculesai.app>
Date: Wed, 27 May 2026 16:29:21 +0000
Subject: [PATCH] ci(workflows): flip cancel-in-progress on 9 low-risk
 scheduled workflows
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Following agent-reviewer HOLD findings on PR #1947, flip
cancel-in-progress: false → true on the 9 LOW-RISK workflows:

- sweep-aws-secrets, sweep-cf-orphans, sweep-cf-tunnels, sweep-stale-e2e-orgs
- railway-pin-audit, ci-required-drift, continuous-synth-e2e
- e2e-staging-sanity, e2e-legacy-advisory

These are idempotent sweeps, read-only audits, or bounded synth
jobs that do NOT emit branch-protection required contexts.
Cancelling and re-running is safe.

The 6 HIGH-RISK per-SHA workflows are intentionally untouched:
- e2e-api, e2e-chat, e2e-peer-visibility, e2e-staging-canvas
- handlers-postgres-integration, harness-replays

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/workflows/ci-required-drift.yml    | 8 ++++----
 .gitea/workflows/continuous-synth-e2e.yml | 7 +++----
 .gitea/workflows/e2e-legacy-advisory.yml  | 4 +++-
 .gitea/workflows/e2e-staging-sanity.yml   | 4 +++-
 .gitea/workflows/railway-pin-audit.yml    | 4 +++-
 .gitea/workflows/sweep-aws-secrets.yml    | 5 +++--
 .gitea/workflows/sweep-cf-orphans.yml     | 6 +++---
 .gitea/workflows/sweep-cf-tunnels.yml     | 5 +++--
 .gitea/workflows/sweep-stale-e2e-orgs.yml | 6 +++---
 9 files changed, 28 insertions(+), 21 deletions(-)

diff --git a/.gitea/workflows/ci-required-drift.yml b/.gitea/workflows/ci-required-drift.yml
index 3cf5e5dab..98be8ff26 100644
--- a/.gitea/workflows/ci-required-drift.yml
+++ b/.gitea/workflows/ci-required-drift.yml
@@ -52,12 +52,12 @@ permissions:
   contents: read
   issues: write
 
-# Serialise — two simultaneous drift runs would duel on the issue
-# create/update path. The audit is idempotent, but parallel POSTs
-# can produce duplicate comments before the title-search dedup wins.
+# Audit is idempotent — cancelling an overlapping run and starting
+# fresh avoids duplicate comments and ensures the latest branch state
+# is evaluated.
 concurrency:
   group: ci-required-drift
-  cancel-in-progress: false
+  cancel-in-progress: true
 
 jobs:
   drift:
diff --git a/.gitea/workflows/continuous-synth-e2e.yml b/.gitea/workflows/continuous-synth-e2e.yml
index 569a11197..3f4320fa7 100644
--- a/.gitea/workflows/continuous-synth-e2e.yml
+++ b/.gitea/workflows/continuous-synth-e2e.yml
@@ -87,12 +87,11 @@ permissions:
   # minimal until that's actually wanted.
 
 # Serialize so two firings can never overlap. Cron firing every 20 min
-# but scripts conservatively bounded at 10 min — overlap shouldn't
-# happen in steady state, but if a run hangs we don't want N more
-# stacking up.
+# If a run hangs we don't want N more stacking up.
+# Cancelling and starting fresh is preferred for bounded synth tests.
 concurrency:
   group: continuous-synth-e2e
-  cancel-in-progress: false
+  cancel-in-progress: true
 
 env:
   GITHUB_SERVER_URL: https://git.moleculesai.app
diff --git a/.gitea/workflows/e2e-legacy-advisory.yml b/.gitea/workflows/e2e-legacy-advisory.yml
index aeeb83f07..20d56d48f 100644
--- a/.gitea/workflows/e2e-legacy-advisory.yml
+++ b/.gitea/workflows/e2e-legacy-advisory.yml
@@ -13,9 +13,11 @@ on:
     - cron: '15 9 * * *'
   workflow_dispatch:
 
+# Advisory-only check — cancelling and re-running is safe.
+# Prefer fresh run over queued stale run.
 concurrency:
   group: e2e-legacy-advisory
-  cancel-in-progress: false
+  cancel-in-progress: true
 
 permissions:
   contents: read
diff --git a/.gitea/workflows/e2e-staging-sanity.yml b/.gitea/workflows/e2e-staging-sanity.yml
index d1b8f8eb9..e074d1174 100644
--- a/.gitea/workflows/e2e-staging-sanity.yml
+++ b/.gitea/workflows/e2e-staging-sanity.yml
@@ -24,9 +24,11 @@ on:
 env:
   GITHUB_SERVER_URL: https://git.moleculesai.app
 
+# Lightweight sanity check — cancelling and re-running is safe.
+# Prefer fresh run over queued stale run.
 concurrency:
   group: e2e-staging-sanity
-  cancel-in-progress: false
+  cancel-in-progress: true
 
 permissions:
   issues: write
diff --git a/.gitea/workflows/railway-pin-audit.yml b/.gitea/workflows/railway-pin-audit.yml
index 8508f4a87..1f09e42a2 100644
--- a/.gitea/workflows/railway-pin-audit.yml
+++ b/.gitea/workflows/railway-pin-audit.yml
@@ -38,9 +38,11 @@ on:
 env:
   GITHUB_SERVER_URL: https://git.moleculesai.app
 
+# Audit is read-only — cancelling and re-running is safe.
+# Prefer fresh run over queued stale run.
 concurrency:
   group: railway-pin-audit
-  cancel-in-progress: false
+  cancel-in-progress: true
 
 permissions:
   issues: write
diff --git a/.gitea/workflows/sweep-aws-secrets.yml b/.gitea/workflows/sweep-aws-secrets.yml
index dcd00bfb6..a924addb3 100644
--- a/.gitea/workflows/sweep-aws-secrets.yml
+++ b/.gitea/workflows/sweep-aws-secrets.yml
@@ -47,10 +47,11 @@ on:
     # 1.22.6 rejects workflow_dispatch.inputs.
     - cron: '30 * * * *'
   workflow_dispatch:
-# Don't let two sweeps race the same AWS account.
+# Sweeps are idempotent — cancelling and re-running from scratch is safe.
+# Prefer fresh run over queued stale run.
 concurrency:
   group: sweep-aws-secrets
-  cancel-in-progress: false
+  cancel-in-progress: true
 
 permissions:
   contents: read
diff --git a/.gitea/workflows/sweep-cf-orphans.yml b/.gitea/workflows/sweep-cf-orphans.yml
index 1400529d1..39e902ccb 100644
--- a/.gitea/workflows/sweep-cf-orphans.yml
+++ b/.gitea/workflows/sweep-cf-orphans.yml
@@ -54,11 +54,11 @@ on:
   # AND gate the sweep step with `if: github.event_name != 'merge_group'`
   # so merge-queue evals report success without actually running.
 
-# Don't let two sweeps race the same zone. workflow_dispatch during a
-# scheduled run would otherwise issue duplicate DELETE calls.
+# CF deletes are idempotent — cancelling and re-running is safe.
+# Prefer fresh run over queued stale run.
 concurrency:
   group: sweep-cf-orphans
-  cancel-in-progress: false
+  cancel-in-progress: true
 
 permissions:
   contents: read
diff --git a/.gitea/workflows/sweep-cf-tunnels.yml b/.gitea/workflows/sweep-cf-tunnels.yml
index 085534e5d..fe853c2c7 100644
--- a/.gitea/workflows/sweep-cf-tunnels.yml
+++ b/.gitea/workflows/sweep-cf-tunnels.yml
@@ -39,10 +39,11 @@ on:
     # Hourly at :45 — offset from sweep-cf-orphans (:15) so the two
     # janitors don't issue parallel CF API bursts at the same minute.
     - cron: '45 * * * *'
-# Don't let two sweeps race the same account.
+# Sweeps are idempotent — cancelling and re-running from scratch is safe.
+# Prefer fresh run over queued stale run.
 concurrency:
   group: sweep-cf-tunnels
-  cancel-in-progress: false
+  cancel-in-progress: true
 
 permissions:
   contents: read
diff --git a/.gitea/workflows/sweep-stale-e2e-orgs.yml b/.gitea/workflows/sweep-stale-e2e-orgs.yml
index 8ba68fba7..e65988447 100644
--- a/.gitea/workflows/sweep-stale-e2e-orgs.yml
+++ b/.gitea/workflows/sweep-stale-e2e-orgs.yml
@@ -47,11 +47,11 @@ on:
     # See molecule-controlplane#420 for the leak-class accounting that
     # motivated this tightening.
     - cron: '*/15 * * * *'
-# Don't let two sweeps fight. Cron + workflow_dispatch could overlap
-# on a manual trigger; queue rather than parallel-delete.
+# Org cleanup is idempotent — cancelling and re-running is safe.
+# Prefer fresh run over queued stale run.
 concurrency:
   group: sweep-stale-e2e-orgs
-  cancel-in-progress: false
+  cancel-in-progress: true
 
 permissions:
   contents: read
-- 
2.52.0