From 01d5dfb7eb028bbf0d72cbbe2ef6e7c5710e7401 Mon Sep 17 00:00:00 2001 From: BDevParity Date: Wed, 15 Apr 2026 20:02:46 +0200 Subject: [PATCH] [CI] Fix random job cancellations in combined publish workflows (#11703) ## Summary - The combined publish workflows (`release-70`, `release-22`) call multiple sub-workflows that each invoke `check-synchronization.yml`. That reusable workflow has a concurrency group (`${{ github.repository }}-${{ github.workflow }}-${{ github.ref }}`) that evaluates to the **same value** for all callers within a single run, causing GitHub to randomly cancel competing jobs. - PR #11631 attempted to fix this with `github.event_name == 'workflow_dispatch'` guards, but `github.event_name` propagates the original trigger through `workflow_call` chains, so the guard doesn't reliably skip the check. - This PR replaces that guard with an explicit `skip_sync_check` boolean input. Combined workflows pass `skip_sync_check: true` since they already run the check at the top level. Standalone dispatches default to `false`, preserving existing behavior. - Also removes the redundant `check-synchronization` job from `release-reusable-publish-packages.yml` (only ever called from workflows that already perform the check). Evidence: [4 consecutive failed attempts](https://github.com/paritytech-release/polkadot-sdk/actions/runs/23787944175) with different random jobs cancelled each time. ## Issue - https://github.com/paritytech/release-engineering/issues/291 --------- Co-authored-by: Egor_P (cherry picked from commit 9f6182fe1ef2a4bd2013571396999ddd4044a8ef) --- .github/workflows/release-20_build-rc.yml | 5 +++-- .github/workflows/release-21_build-runtimes.yml | 5 +++-- ...lease-22_combined-rc-runtime-builds-release-draft.yml | 6 ++++++ .github/workflows/release-30_publish_release_draft.yml | 5 +++-- .github/workflows/release-31_promote-rc-to-final.yml | 5 +++-- .github/workflows/release-40_publish-deb-package.yml | 6 ++++-- .github/workflows/release-41_publish-rpm-package.yml | 5 +++-- .github/workflows/release-50_publish-docker.yml | 5 +++-- .../workflows/release-70_combined-publish-release.yml | 9 +++++++++ .github/workflows/release-80_publish-crates.yml | 2 ++ .github/workflows/release-reusable-publish-packages.yml | 5 +++-- 11 files changed, 42 insertions(+), 16 deletions(-) diff --git a/.github/workflows/release-20_build-rc.yml b/.github/workflows/release-20_build-rc.yml index e327767dfc87f..ef12993999d6c 100644 --- a/.github/workflows/release-20_build-rc.yml +++ b/.github/workflows/release-20_build-rc.yml @@ -21,14 +21,15 @@ on: jobs: check-synchronization: - if: ${{ github.event_name == 'workflow_dispatch' }} uses: paritytech-release/sync-workflows/.github/workflows/check-synchronization.yml@main + with: + concurrency_suffix: build-rc secrets: fork_writer_app_key: ${{ secrets.UPSTREAM_CONTENT_SYNC_APP_KEY }} validate-inputs: needs: [check-synchronization] - if: ${{ !cancelled() && (needs.check-synchronization.result == 'skipped' || needs.check-synchronization.outputs.checks_passed == 'true') }} + if: needs.check-synchronization.outputs.checks_passed == 'true' runs-on: ubuntu-latest outputs: release_tag: ${{ steps.validate_inputs.outputs.release_tag }} diff --git a/.github/workflows/release-21_build-runtimes.yml b/.github/workflows/release-21_build-runtimes.yml index ab688ef5f4070..ea50975b1bae4 100644 --- a/.github/workflows/release-21_build-runtimes.yml +++ b/.github/workflows/release-21_build-runtimes.yml @@ -54,14 +54,15 @@ on: jobs: check-synchronization: - if: ${{ github.event_name == 'workflow_dispatch' }} uses: paritytech-release/sync-workflows/.github/workflows/check-synchronization.yml@main + with: + concurrency_suffix: build-runtimes secrets: fork_writer_app_key: ${{ secrets.UPSTREAM_CONTENT_SYNC_APP_KEY }} validate-inputs: needs: [check-synchronization] - if: ${{ !cancelled() && (needs.check-synchronization.result == 'skipped' || needs.check-synchronization.outputs.checks_passed == 'true') }} + if: needs.check-synchronization.outputs.checks_passed == 'true' runs-on: ubuntu-latest outputs: release_tag: ${{ steps.validate_inputs.outputs.release_tag }} diff --git a/.github/workflows/release-22_combined-rc-runtime-builds-release-draft.yml b/.github/workflows/release-22_combined-rc-runtime-builds-release-draft.yml index 33bfa8a4365d0..46b5f45119128 100644 --- a/.github/workflows/release-22_combined-rc-runtime-builds-release-draft.yml +++ b/.github/workflows/release-22_combined-rc-runtime-builds-release-draft.yml @@ -56,6 +56,8 @@ on: jobs: check-synchronization: uses: paritytech-release/sync-workflows/.github/workflows/check-synchronization.yml@main + with: + concurrency_suffix: combined-builds secrets: fork_writer_app_key: ${{ secrets.UPSTREAM_CONTENT_SYNC_APP_KEY }} @@ -87,6 +89,7 @@ jobs: chain: ${{ inputs.chain }} runtime_dir: ${{ inputs.runtime_dir }} release_tag: ${{ needs.validate-inputs.outputs.release_tag }} + secrets: inherit permissions: id-token: write @@ -99,6 +102,7 @@ jobs: with: binary: ${{ inputs.binary }} release_tag: ${{ needs.validate-inputs.outputs.release_tag }} + secrets: inherit permissions: id-token: write @@ -115,6 +119,7 @@ jobs: runtimes: '${{ needs.build-runtimes-flow.outputs.published_runtimes }}' no_runtimes: ${{ inputs.no_runtimes }} crates_only: false + secrets: inherit trigger-release-draft-without-runtimes: @@ -126,4 +131,5 @@ jobs: build_run_id: ${{ github.run_id }} no_runtimes: ${{ inputs.no_runtimes }} crates_only: false + secrets: inherit diff --git a/.github/workflows/release-30_publish_release_draft.yml b/.github/workflows/release-30_publish_release_draft.yml index 467c1f7458e39..0c56e3e134b3b 100644 --- a/.github/workflows/release-30_publish_release_draft.yml +++ b/.github/workflows/release-30_publish_release_draft.yml @@ -57,14 +57,15 @@ on: jobs: check-synchronization: - if: ${{ github.event_name == 'workflow_dispatch' }} uses: paritytech-release/sync-workflows/.github/workflows/check-synchronization.yml@main + with: + concurrency_suffix: publish-release-draft secrets: fork_writer_app_key: ${{ secrets.UPSTREAM_CONTENT_SYNC_APP_KEY }} validate-inputs: needs: [ check-synchronization ] - if: ${{ !cancelled() && (needs.check-synchronization.result == 'skipped' || needs.check-synchronization.outputs.checks_passed == 'true') }} + if: needs.check-synchronization.outputs.checks_passed == 'true' runs-on: ubuntu-latest outputs: release_tag: ${{ steps.validate_inputs.outputs.release_tag }} diff --git a/.github/workflows/release-31_promote-rc-to-final.yml b/.github/workflows/release-31_promote-rc-to-final.yml index 75d5559e5b84d..749bf6406a482 100644 --- a/.github/workflows/release-31_promote-rc-to-final.yml +++ b/.github/workflows/release-31_promote-rc-to-final.yml @@ -22,14 +22,15 @@ on: jobs: check-synchronization: - if: ${{ github.event_name == 'workflow_dispatch' }} uses: paritytech-release/sync-workflows/.github/workflows/check-synchronization.yml@main + with: + concurrency_suffix: promote-rc-to-final secrets: fork_writer_app_key: ${{ secrets.UPSTREAM_CONTENT_SYNC_APP_KEY }} validate-inputs: needs: [ check-synchronization ] - if: ${{ !cancelled() && (needs.check-synchronization.result == 'skipped' || needs.check-synchronization.outputs.checks_passed == 'true') }} + if: needs.check-synchronization.outputs.checks_passed == 'true' runs-on: ubuntu-latest outputs: release_tag: ${{ steps.validate_inputs.outputs.release_tag }} diff --git a/.github/workflows/release-40_publish-deb-package.yml b/.github/workflows/release-40_publish-deb-package.yml index 9fd46415d3f34..8f235a6dc200d 100644 --- a/.github/workflows/release-40_publish-deb-package.yml +++ b/.github/workflows/release-40_publish-deb-package.yml @@ -15,15 +15,17 @@ on: required: true type: string + jobs: check-synchronization: - if: ${{ github.event_name == 'workflow_dispatch' }} uses: paritytech-release/sync-workflows/.github/workflows/check-synchronization.yml@main + with: + concurrency_suffix: publish-deb secrets: fork_writer_app_key: ${{ secrets.UPSTREAM_CONTENT_SYNC_APP_KEY }} call-publish-workflow: needs: [check-synchronization] - if: ${{ !cancelled() && (needs.check-synchronization.result == 'skipped' || needs.check-synchronization.outputs.checks_passed == 'true') }} + if: needs.check-synchronization.outputs.checks_passed == 'true' uses: ./.github/workflows/release-reusable-publish-packages.yml with: tag: ${{ inputs.tag }} diff --git a/.github/workflows/release-41_publish-rpm-package.yml b/.github/workflows/release-41_publish-rpm-package.yml index aea2a3da81c8e..3c7f145dd0756 100644 --- a/.github/workflows/release-41_publish-rpm-package.yml +++ b/.github/workflows/release-41_publish-rpm-package.yml @@ -29,13 +29,14 @@ on: jobs: check-synchronization: - if: ${{ github.event_name == 'workflow_dispatch' }} uses: paritytech-release/sync-workflows/.github/workflows/check-synchronization.yml@main + with: + concurrency_suffix: publish-rpm secrets: fork_writer_app_key: ${{ secrets.UPSTREAM_CONTENT_SYNC_APP_KEY }} call-publish-workflow: needs: [check-synchronization] - if: ${{ !cancelled() && (needs.check-synchronization.result == 'skipped' || needs.check-synchronization.outputs.checks_passed == 'true') }} + if: needs.check-synchronization.outputs.checks_passed == 'true' uses: ./.github/workflows/release-reusable-publish-packages.yml with: tag: ${{ inputs.tag }} diff --git a/.github/workflows/release-50_publish-docker.yml b/.github/workflows/release-50_publish-docker.yml index f2ae090b310ae..68b4d3902dc16 100644 --- a/.github/workflows/release-50_publish-docker.yml +++ b/.github/workflows/release-50_publish-docker.yml @@ -65,14 +65,15 @@ env: jobs: check-synchronization: - if: ${{ github.event_name == 'workflow_dispatch' }} uses: paritytech-release/sync-workflows/.github/workflows/check-synchronization.yml@main + with: + concurrency_suffix: publish-docker-${{ inputs.binary }} secrets: fork_writer_app_key: ${{ secrets.UPSTREAM_CONTENT_SYNC_APP_KEY }} validate-inputs: needs: [check-synchronization] - if: ${{ !cancelled() && (needs.check-synchronization.result == 'skipped' || needs.check-synchronization.outputs.checks_passed == 'true') }} + if: needs.check-synchronization.outputs.checks_passed == 'true' runs-on: ubuntu-latest outputs: version: ${{ steps.validate_inputs.outputs.VERSION }} diff --git a/.github/workflows/release-70_combined-publish-release.yml b/.github/workflows/release-70_combined-publish-release.yml index 9b5036477ba41..26ab48ccbc2fe 100644 --- a/.github/workflows/release-70_combined-publish-release.yml +++ b/.github/workflows/release-70_combined-publish-release.yml @@ -53,6 +53,8 @@ jobs: check-synchronization: uses: paritytech-release/sync-workflows/.github/workflows/check-synchronization.yml@main + with: + concurrency_suffix: combined-publish secrets: fork_writer_app_key: ${{ secrets.UPSTREAM_CONTENT_SYNC_APP_KEY }} @@ -67,6 +69,7 @@ jobs: with: binary: ${{ inputs.binary }} release_tag: ${{ inputs.release_tag }} + secrets: inherit # ============================================== @@ -79,6 +82,7 @@ jobs: with: tag: ${{ needs.promote-rc-to-final.outputs.final_tag }} distribution: release + secrets: inherit publish-rpm-package: @@ -88,6 +92,7 @@ jobs: with: tag: ${{ needs.promote-rc-to-final.outputs.final_tag }} distribution: ${{ inputs.distribution }} + secrets: inherit # ============================================== @@ -105,6 +110,7 @@ jobs: owner: ${{ inputs.owner }} version: ${{ inputs.version }} stable_tag: ${{ needs.promote-rc-to-final.outputs.final_tag }} + secrets: inherit publish-docker-polkadot-parachain: @@ -120,6 +126,7 @@ jobs: owner: ${{ inputs.owner }} version: ${{ inputs.version }} stable_tag: ${{ needs.promote-rc-to-final.outputs.final_tag }} + secrets: inherit publish-docker-polkadot-omni-node: @@ -135,6 +142,7 @@ jobs: owner: ${{ inputs.owner }} version: ${{ inputs.version }} stable_tag: ${{ needs.promote-rc-to-final.outputs.final_tag }} + secrets: inherit publish-docker-chain-spec-builder: @@ -150,4 +158,5 @@ jobs: owner: ${{ inputs.owner }} version: ${{ inputs.version }} stable_tag: ${{ needs.promote-rc-to-final.outputs.final_tag }} + secrets: inherit diff --git a/.github/workflows/release-80_publish-crates.yml b/.github/workflows/release-80_publish-crates.yml index d72b71964e20b..a52c796bb6559 100644 --- a/.github/workflows/release-80_publish-crates.yml +++ b/.github/workflows/release-80_publish-crates.yml @@ -57,6 +57,8 @@ permissions: jobs: check-synchronization: uses: paritytech-release/sync-workflows/.github/workflows/check-synchronization.yml@main + with: + concurrency_suffix: publish-crates secrets: fork_writer_app_key: ${{ secrets.UPSTREAM_CONTENT_SYNC_APP_KEY }} diff --git a/.github/workflows/release-reusable-publish-packages.yml b/.github/workflows/release-reusable-publish-packages.yml index 4464acb0a5e8b..3b42da12dcdf5 100644 --- a/.github/workflows/release-reusable-publish-packages.yml +++ b/.github/workflows/release-reusable-publish-packages.yml @@ -25,14 +25,15 @@ on: jobs: check-synchronization: - if: ${{ github.event_name == 'workflow_dispatch' }} uses: paritytech-release/sync-workflows/.github/workflows/check-synchronization.yml@main + with: + concurrency_suffix: reusable-publish-packages secrets: fork_writer_app_key: ${{ secrets.UPSTREAM_CONTENT_SYNC_APP_KEY }} validate-inputs: needs: [check-synchronization] - if: ${{ !cancelled() && (needs.check-synchronization.result == 'skipped' || needs.check-synchronization.outputs.checks_passed == 'true') }} + if: needs.check-synchronization.outputs.checks_passed == 'true' runs-on: ubuntu-latest outputs: release_tag: ${{ steps.validate_inputs.outputs.release_tag }}