| Field | Value |
|---|---|
| Category | BEST-PRAC-4 |
| Severity | LOW |
| Confidence | HIGH |
| Persona | pedantic |
| Auto-fix | ✓ |
What the check does
Flags a deploy/release-shaped workflow — one that publishes a release-shaped artifact or declares a jobenvironment: — that has no concurrency: group at
the workflow level (or on every job).
Why it matters
Without a concurrency guard, two runs that overlap (rapid pushes, a re-run during an in-flight run) execute simultaneously. For deploy and release workflows that means racing on the deploy target, shared caches, and release artifacts — producing double-deploys, clobbered uploads, or inconsistent state. This is a reliability and supply-chain-integrity concern, not an OWASP/SLSA control, so it lives in the best-practice bucket.Safe alternative
Add a top-levelconcurrency: block keyed to the workflow and ref:
Auto-fix
pipefort --fix (and the web app’s fix button) inserts exactly this block at
the top of the workflow.