tenseleyflow/shithub / 8523373

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+// Package concurrency owns workflow-level Actions concurrency groups.

+package concurrency

+

+import (

+	"context"

+	"errors"

+	"fmt"

+	"strings"

+	"unicode/utf8"

+

+	"github.com/tenseleyFlow/shithub/internal/actions/runstate"

+	actionsdb "github.com/tenseleyFlow/shithub/internal/actions/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/actions/workflow"

+)

+

+const (

+	// MaxGroupChars mirrors workflow_runs.concurrency_group's CHECK

+	// constraint. Enforcing it before insert gives workflow authors a useful

+	// error instead of a generic constraint failure.

+	MaxGroupChars = 256

+

+	// CancelReason is the metrics label used when a newer run cancels older

+	// group occupants.

+	CancelReason = "concurrency"

+)

+

+// ResolveInput carries the trigger-time context available to concurrency.group

+// expression evaluation. Secrets are intentionally not populated here.

+type ResolveInput struct {

+	Workflow     *workflow.Workflow

+	EventPayload map[string]any

+	HeadSHA      string

+	HeadRef      string

+}

+

+// Resolution is the trigger-time concurrency policy for one workflow run.

+type Resolution struct {

+	Group            string

+	CancelInProgress bool

+}

+

+// Resolve evaluates workflow.concurrency.group against the trigger context.

+func Resolve(in ResolveInput) (Resolution, error) {

+	if in.Workflow == nil {

+		return Resolution{}, errors.New("actions concurrency: nil Workflow")

+	}

+	c := in.Workflow.Concurrency

+	raw := strings.TrimSpace(c.Group.Raw)

+	if raw == "" {

+		return Resolution{}, nil

+	}

+	group, err := ResolveGroup(raw, EvalContext{

+		EventPayload: in.EventPayload,

+		HeadSHA:      in.HeadSHA,

+		HeadRef:      in.HeadRef,

+	})

+	if err != nil {

+		return Resolution{}, err

+	}

+	if group == "" {

+		return Resolution{}, nil

+	}

+	return Resolution{Group: group, CancelInProgress: c.CancelInProgress}, nil

+}

+

+// EnforceParams identifies a newly enqueued run whose concurrency group should

+// be checked against older active runs in the same repo.

+type EnforceParams struct {

+	Run              actionsdb.WorkflowRun

+	CancelInProgress bool

+}

+

+// EnforceResult summarizes what the slot manager observed and changed.

+type EnforceResult struct {

+	BlockingRuns  []actionsdb.WorkflowRun

+	CancelledJobs []actionsdb.WorkflowJob

+}

+

+// Enforce applies workflow-level concurrency rules. With cancel-in-progress it

+// requests cancellation for older active occupants. Without it, this only locks

+// and reports blockers; ClaimQueuedWorkflowJob keeps the newer run pending.

+func Enforce(

+	ctx context.Context,

+	q *actionsdb.Queries,

+	db actionsdb.DBTX,

+	p EnforceParams,

+) (EnforceResult, error) {

+	if q == nil {

+		return EnforceResult{}, errors.New("actions concurrency: nil Queries")

+	}

+	if strings.TrimSpace(p.Run.ConcurrencyGroup) == "" {

+		return EnforceResult{}, nil

+	}

+	blockers, err := q.ListBlockingConcurrencyRunsForUpdate(ctx, db, actionsdb.ListBlockingConcurrencyRunsForUpdateParams{

+		RepoID:           p.Run.RepoID,

+		ConcurrencyGroup: p.Run.ConcurrencyGroup,

+		RunID:            p.Run.ID,

+	})

+	if err != nil {

+		return EnforceResult{}, err

+	}

+	out := EnforceResult{BlockingRuns: blockers}

+	if !p.CancelInProgress || len(blockers) == 0 {

+		return out, nil

+	}

+	for _, blocker := range blockers {

+		changed, err := q.RequestWorkflowRunCancel(ctx, db, blocker.ID)

+		if err != nil {

+			return EnforceResult{}, err

+		}

+		for _, job := range changed {

+			if job.Status == actionsdb.WorkflowJobStatusCancelled {

+				if _, err := q.CancelOpenWorkflowStepsForJob(ctx, db, job.ID); err != nil {

+					return EnforceResult{}, err

+				}

+			}

+		}

+		if len(changed) > 0 {

+			if _, _, err := runstate.RollupAfterCancel(ctx, q, db, blocker.ID); err != nil {

+				return EnforceResult{}, err

+			}

+			out.CancelledJobs = append(out.CancelledJobs, changed...)

+		}

+	}

+	return out, nil

+}

+

+func validateGroup(group string) (string, error) {

+	group = strings.TrimSpace(group)

+	if group == "" {

+		return "", nil

+	}

+	if utf8.RuneCountInString(group) > MaxGroupChars {

+		return "", fmt.Errorf("actions concurrency: group exceeds %d characters", MaxGroupChars)

+	}

+	return group, nil

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package concurrency

+

+import (

+	"fmt"

+	"strings"

+

+	"github.com/tenseleyFlow/shithub/internal/actions/expr"

+)

+

+// EvalContext is the limited trigger-time expression context for a

+// concurrency.group value. It deliberately excludes secrets.

+type EvalContext struct {

+	EventPayload map[string]any

+	HeadSHA      string

+	HeadRef      string

+}

+

+// ResolveGroup evaluates `${{ ... }}` fragments in a concurrency group value.

+// Literal text outside expressions is preserved.

+func ResolveGroup(raw string, in EvalContext) (string, error) {

+	ctx := expr.Context{

+		Shithub: expr.ShithubContext{

+			Event: in.EventPayload,

+			SHA:   in.HeadSHA,

+			Ref:   in.HeadRef,

+		},

+		Untrusted: expr.DefaultUntrusted(),

+	}

+	var out strings.Builder

+	if err := walkExpressions(raw, func(literal, body string) error {

+		if body == "" {

+			out.WriteString(literal)

+			return nil

+		}

+		out.WriteString(literal)

+		v, err := eval(body, &ctx)

+		if err != nil {

+			return err

+		}

+		out.WriteString(v.String())

+		return nil

+	}); err != nil {

+		return "", fmt.Errorf("actions concurrency: resolve group: %w", err)

+	}

+	return validateGroup(out.String())

+}

+

+func eval(body string, ctx *expr.Context) (expr.Value, error) {

+	toks, err := expr.Lex(strings.TrimSpace(body))

+	if err != nil {

+		return expr.Value{}, err

+	}

+	ast, err := expr.Parse(toks)

+	if err != nil {

+		return expr.Value{}, err

+	}

+	return expr.Eval(ast, ctx)

+}

+

+func walkExpressions(raw string, fn func(literal, body string) error) error {

+	for {

+		start := strings.Index(raw, "${{")

+		if start < 0 {

+			return fn(raw, "")

+		}

+		end := strings.Index(raw[start+3:], "}}")

+		if end < 0 {

+			return fmt.Errorf("render expression: missing closing }}")

+		}

+		end += start + 3

+		if err := fn(raw[:start], raw[start+3:end]); err != nil {

+			return err

+		}

+		raw = raw[end+2:]

+	}

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package concurrency_test

+

+import (

+	"strings"

+	"testing"

+

+	"github.com/tenseleyFlow/shithub/internal/actions/concurrency"

+)

+

+func TestResolveGroup_EvaluatesTriggerContext(t *testing.T) {

+	t.Parallel()

+	got, err := concurrency.ResolveGroup("branch-${{ shithub.ref }}-${{ shithub.event.head_commit.id }}", concurrency.EvalContext{

+		EventPayload: map[string]any{

+			"head_commit": map[string]any{"id": "abc123"},

+		},

+		HeadSHA: "abc123",

+		HeadRef: "refs/heads/trunk",

+	})

+	if err != nil {

+		t.Fatalf("ResolveGroup: %v", err)

+	}

+	want := "branch-refs/heads/trunk-abc123"

+	if got != want {

+		t.Fatalf("group: got %q want %q", got, want)

+	}

+}

+

+func TestResolveGroup_GithubAliasAndMissingEventPath(t *testing.T) {

+	t.Parallel()

+	got, err := concurrency.ResolveGroup("${{ github.ref }}-${{ shithub.event.missing }}", concurrency.EvalContext{

+		HeadRef: "refs/heads/main",

+	})

+	if err != nil {

+		t.Fatalf("ResolveGroup: %v", err)

+	}

+	if got != "refs/heads/main-" {

+		t.Fatalf("group: got %q", got)

+	}

+}

+

+func TestResolveGroup_RejectsTooLongGroup(t *testing.T) {

+	t.Parallel()

+	_, err := concurrency.ResolveGroup(strings.Repeat("x", concurrency.MaxGroupChars+1), concurrency.EvalContext{})

+	if err == nil {

+		t.Fatal("ResolveGroup returned nil error for oversized group")

+	}

+}

+    JOIN workflow_runs r ON r.id = j.run_id

+      AND r.status IN ('queued', 'running')

+      AND NOT EXISTS (

+          SELECT 1

+          FROM workflow_runs blocker

+          WHERE r.concurrency_group <> ''

+            AND blocker.repo_id = r.repo_id

+            AND blocker.concurrency_group = r.concurrency_group

+            AND blocker.id <> r.id

+            AND blocker.status IN ('queued', 'running')

+            AND (blocker.created_at, blocker.id) < (r.created_at, r.id)

+            AND EXISTS (

+                SELECT 1

+                FROM workflow_jobs blocker_job

+                WHERE blocker_job.run_id = blocker.id

+                  AND blocker_job.status IN ('queued', 'running')

+                  AND blocker_job.cancel_requested = false

+            )

+      )

+-- name: ListBlockingConcurrencyRunsForUpdate :many

+-- Older queued/running runs with the same group block the new run while they

+-- still have at least one queued/running job that has not already received a

+-- cancel request. cancel-in-progress releases the slot by flipping that job

+-- flag even if the runner is still draining the old container.

+SELECT r.id, r.repo_id, r.run_index, r.workflow_file, r.workflow_name,

+       r.head_sha, r.head_ref, r.event, r.event_payload,

+       r.actor_user_id, r.parent_run_id, r.concurrency_group,

+       r.status, r.conclusion, r.pinned, r.need_approval, r.approved_by_user_id,

+       r.started_at, r.completed_at, r.version, r.created_at, r.updated_at, r.trigger_event_id

+FROM workflow_runs r

+JOIN workflow_runs current_run ON current_run.id = sqlc.arg(run_id)::bigint

+WHERE r.repo_id = sqlc.arg(repo_id)::bigint

+  AND r.concurrency_group = sqlc.arg(concurrency_group)::text

+  AND r.concurrency_group <> ''

+  AND r.id <> current_run.id

+  AND r.status IN ('queued', 'running')

+  AND (r.created_at, r.id) < (current_run.created_at, current_run.id)

+  AND EXISTS (

+      SELECT 1

+      FROM workflow_jobs j

+      WHERE j.run_id = r.id

+        AND j.status IN ('queued', 'running')

+        AND j.cancel_requested = false

+  )

+ORDER BY r.created_at ASC, r.id ASC

+FOR UPDATE OF r;

+

+	// Older queued/running runs with the same group block the new run while they

+	// still have at least one queued/running job that has not already received a

+	// cancel request. cancel-in-progress releases the slot by flipping that job

+	// flag even if the runner is still draining the old container.

+	ListBlockingConcurrencyRunsForUpdate(ctx context.Context, db DBTX, arg ListBlockingConcurrencyRunsForUpdateParams) ([]WorkflowRun, error)

+    JOIN workflow_runs r ON r.id = j.run_id

+      AND r.status IN ('queued', 'running')

+      AND NOT EXISTS (

+          SELECT 1

+          FROM workflow_runs blocker

+          WHERE r.concurrency_group <> ''

+            AND blocker.repo_id = r.repo_id

+            AND blocker.concurrency_group = r.concurrency_group

+            AND blocker.id <> r.id

+            AND blocker.status IN ('queued', 'running')

+            AND (blocker.created_at, blocker.id) < (r.created_at, r.id)

+            AND EXISTS (

+                SELECT 1

+                FROM workflow_jobs blocker_job

+                WHERE blocker_job.run_id = blocker.id

+                  AND blocker_job.status IN ('queued', 'running')

+                  AND blocker_job.cancel_requested = false

+            )

+      )

+const listBlockingConcurrencyRunsForUpdate = `-- name: ListBlockingConcurrencyRunsForUpdate :many

+SELECT r.id, r.repo_id, r.run_index, r.workflow_file, r.workflow_name,

+       r.head_sha, r.head_ref, r.event, r.event_payload,

+       r.actor_user_id, r.parent_run_id, r.concurrency_group,

+       r.status, r.conclusion, r.pinned, r.need_approval, r.approved_by_user_id,

+       r.started_at, r.completed_at, r.version, r.created_at, r.updated_at, r.trigger_event_id

+FROM workflow_runs r

+JOIN workflow_runs current_run ON current_run.id = $1::bigint

+WHERE r.repo_id = $2::bigint

+  AND r.concurrency_group = $3::text

+  AND r.concurrency_group <> ''

+  AND r.id <> current_run.id

+  AND r.status IN ('queued', 'running')

+  AND (r.created_at, r.id) < (current_run.created_at, current_run.id)

+  AND EXISTS (

+      SELECT 1

+      FROM workflow_jobs j

+      WHERE j.run_id = r.id

+        AND j.status IN ('queued', 'running')

+        AND j.cancel_requested = false

+  )

+ORDER BY r.created_at ASC, r.id ASC

+FOR UPDATE OF r

+`

+

+type ListBlockingConcurrencyRunsForUpdateParams struct {

+	RunID            int64

+	RepoID           int64

+	ConcurrencyGroup string

+}

+

+// Older queued/running runs with the same group block the new run while they

+// still have at least one queued/running job that has not already received a

+// cancel request. cancel-in-progress releases the slot by flipping that job

+// flag even if the runner is still draining the old container.

+func (q *Queries) ListBlockingConcurrencyRunsForUpdate(ctx context.Context, db DBTX, arg ListBlockingConcurrencyRunsForUpdateParams) ([]WorkflowRun, error) {

+	rows, err := db.Query(ctx, listBlockingConcurrencyRunsForUpdate, arg.RunID, arg.RepoID, arg.ConcurrencyGroup)

+	if err != nil {

+		return nil, err

+	}

+	defer rows.Close()

+	items := []WorkflowRun{}

+	for rows.Next() {

+		var i WorkflowRun

+		if err := rows.Scan(

+			&i.ID,

+			&i.RepoID,

+			&i.RunIndex,

+			&i.WorkflowFile,

+			&i.WorkflowName,

+			&i.HeadSha,

+			&i.HeadRef,

+			&i.Event,

+			&i.EventPayload,

+			&i.ActorUserID,

+			&i.ParentRunID,

+			&i.ConcurrencyGroup,

+			&i.Status,

+			&i.Conclusion,

+			&i.Pinned,

+			&i.NeedApproval,

+			&i.ApprovedByUserID,

+			&i.StartedAt,

+			&i.CompletedAt,

+			&i.Version,

+			&i.CreatedAt,

+			&i.UpdatedAt,

+			&i.TriggerEventID,

+		); err != nil {

+			return nil, err

+		}

+		items = append(items, i)

+	}

+	if err := rows.Err(); err != nil {

+		return nil, err

+	}

+	return items, nil

+}

+

+	"github.com/tenseleyFlow/shithub/internal/actions/checksync"

+	"github.com/tenseleyFlow/shithub/internal/actions/concurrency"

+	// persisted; concurrency.group is resolved against the trigger

+	// context and enforced before runners can claim younger jobs.

+	concurrencyResolution, err := concurrency.Resolve(concurrency.ResolveInput{

+		Workflow:     p.Workflow,

+		EventPayload: p.EventPayload,

+		HeadSHA:      p.HeadSHA,

+		HeadRef:      p.HeadRef,

+	})

+	if err != nil {

+		return Result{}, fmt.Errorf("trigger: concurrency: %w", err)

+	}

+		ConcurrencyGroup: concurrencyResolution.Group,

+	concurrencyResult, err := concurrency.Enforce(ctx, q, tx, concurrency.EnforceParams{

+		Run:              run,

+		CancelInProgress: concurrencyResolution.CancelInProgress,

+	})

+	if err != nil {

+		return Result{}, fmt.Errorf("trigger: enforce concurrency: %w", err)

+	}

+

+	if len(concurrencyResult.CancelledJobs) > 0 {

+		metrics.ActionsJobsCancelledTotal.WithLabelValues(concurrency.CancelReason).Add(float64(len(concurrencyResult.CancelledJobs)))

+		checksync.ChangedJobs(ctx, checksync.Deps{Pool: deps.Pool, Logger: deps.Logger}, concurrencyResult.CancelledJobs)

+	} else if !concurrencyResolution.CancelInProgress && len(concurrencyResult.BlockingRuns) > 0 {

+		metrics.ActionsConcurrencyQueuedTotal.Inc()

+	}

+

+	"fmt"

+	return workflowFromYAML(t, `name: ci

+}

+

+func concurrencyWorkflow(t *testing.T, group string, cancelInProgress bool) *workflow.Workflow {

+	t.Helper()

+	return workflowFromYAML(t, fmt.Sprintf(`name: ci

+on: push

+concurrency:

+  group: "%s"

+  cancel-in-progress: %t

+jobs:

+  build:

+    runs-on: ubuntu-latest

+    steps:

+      - uses: actions/checkout@v4

+      - run: echo hello

+`, group, cancelInProgress))

+}

+

+func workflowFromYAML(t *testing.T, src string) *workflow.Workflow {

+	t.Helper()

+	w, diags, err := workflow.Parse([]byte(src))

+func TestEnqueue_ResolvesConcurrencyGroupExpression(t *testing.T) {

+	f := setupEnq(t)

+	ctx := context.Background()

+	res, err := trigger.Enqueue(ctx, f.deps, trigger.EnqueueParams{

+		RepoID:         f.repoID,

+		WorkflowFile:   ".shithub/workflows/ci.yml",

+		HeadSHA:        strings.Repeat("a", 40),

+		HeadRef:        "refs/heads/feature",

+		EventKind:      trigger.EventPush,

+		EventPayload:   map[string]any{"ref": "refs/heads/feature"},

+		ActorUserID:    f.userID,

+		TriggerEventID: "push:concurrency-expr",

+		Workflow:       concurrencyWorkflow(t, "branch-${{ shithub.ref }}", false),

+	})

+	if err != nil {

+		t.Fatalf("Enqueue: %v", err)

+	}

+	run, err := actionsdb.New().GetWorkflowRunByID(ctx, f.pool, res.RunID)

+	if err != nil {

+		t.Fatalf("GetWorkflowRunByID: %v", err)

+	}

+	if run.ConcurrencyGroup != "branch-refs/heads/feature" {

+		t.Fatalf("concurrency_group: got %q", run.ConcurrencyGroup)

+	}

+}

+

+func TestEnqueue_CancelInProgressCancelsOlderQueuedRun(t *testing.T) {

+	f := setupEnq(t)

+	ctx := context.Background()

+	q := actionsdb.New()

+	first, err := trigger.Enqueue(ctx, f.deps, trigger.EnqueueParams{

+		RepoID:         f.repoID,

+		WorkflowFile:   ".shithub/workflows/ci.yml",

+		HeadSHA:        strings.Repeat("a", 40),

+		HeadRef:        "refs/heads/trunk",

+		EventKind:      trigger.EventPush,

+		EventPayload:   map[string]any{"ref": "refs/heads/trunk"},

+		ActorUserID:    f.userID,

+		TriggerEventID: "push:concurrency-cancel-1",

+		Workflow:       concurrencyWorkflow(t, "${{ shithub.ref }}", false),

+	})

+	if err != nil {

+		t.Fatalf("first Enqueue: %v", err)

+	}

+	second, err := trigger.Enqueue(ctx, f.deps, trigger.EnqueueParams{

+		RepoID:         f.repoID,

+		WorkflowFile:   ".shithub/workflows/ci.yml",

+		HeadSHA:        strings.Repeat("b", 40),

+		HeadRef:        "refs/heads/trunk",

+		EventKind:      trigger.EventPush,

+		EventPayload:   map[string]any{"ref": "refs/heads/trunk"},

+		ActorUserID:    f.userID,

+		TriggerEventID: "push:concurrency-cancel-2",

+		Workflow:       concurrencyWorkflow(t, "${{ shithub.ref }}", true),

+	})

+	if err != nil {

+		t.Fatalf("second Enqueue: %v", err)

+	}

+	oldRun, err := q.GetWorkflowRunByID(ctx, f.pool, first.RunID)

+	if err != nil {

+		t.Fatalf("GetWorkflowRunByID old: %v", err)

+	}

+	if oldRun.Status != actionsdb.WorkflowRunStatusCompleted ||

+		!oldRun.Conclusion.Valid ||

+		oldRun.Conclusion.CheckConclusion != actionsdb.CheckConclusionCancelled {

+		t.Fatalf("old run not cancelled: %+v", oldRun)

+	}

+	oldJobs, err := q.ListJobsForRun(ctx, f.pool, first.RunID)

+	if err != nil {

+		t.Fatalf("ListJobsForRun old: %v", err)

+	}

+	if len(oldJobs) != 1 || oldJobs[0].Status != actionsdb.WorkflowJobStatusCancelled {

+		t.Fatalf("old jobs not cancelled: %+v", oldJobs)

+	}

+	oldSteps, err := q.ListStepsForJob(ctx, f.pool, oldJobs[0].ID)

+	if err != nil {

+		t.Fatalf("ListStepsForJob old: %v", err)

+	}

+	for _, step := range oldSteps {

+		if step.Status != actionsdb.WorkflowStepStatusCancelled {

+			t.Fatalf("step %d status: got %s want cancelled", step.ID, step.Status)

+		}

+	}

+	newRun, err := q.GetWorkflowRunByID(ctx, f.pool, second.RunID)

+	if err != nil {

+		t.Fatalf("GetWorkflowRunByID new: %v", err)

+	}

+	if newRun.Status != actionsdb.WorkflowRunStatusQueued {

+		t.Fatalf("new run status: got %s want queued", newRun.Status)

+	}

+}

+

+func TestClaimQueuedWorkflowJob_BlocksYoungerConcurrencyRun(t *testing.T) {

+	f := setupEnq(t)

+	ctx := context.Background()

+	q := actionsdb.New()

+	first, err := trigger.Enqueue(ctx, f.deps, trigger.EnqueueParams{

+		RepoID:         f.repoID,

+		WorkflowFile:   ".shithub/workflows/ci.yml",

+		HeadSHA:        strings.Repeat("c", 40),

+		HeadRef:        "refs/heads/trunk",

+		EventKind:      trigger.EventPush,

+		EventPayload:   map[string]any{"ref": "refs/heads/trunk"},

+		ActorUserID:    f.userID,

+		TriggerEventID: "push:concurrency-block-1",

+		Workflow:       concurrencyWorkflow(t, "${{ shithub.ref }}", false),

+	})

+	if err != nil {

+		t.Fatalf("first Enqueue: %v", err)

+	}

+	second, err := trigger.Enqueue(ctx, f.deps, trigger.EnqueueParams{

+		RepoID:         f.repoID,

+		WorkflowFile:   ".shithub/workflows/ci.yml",

+		HeadSHA:        strings.Repeat("d", 40),

+		HeadRef:        "refs/heads/trunk",

+		EventKind:      trigger.EventPush,

+		EventPayload:   map[string]any{"ref": "refs/heads/trunk"},

+		ActorUserID:    f.userID,

+		TriggerEventID: "push:concurrency-block-2",

+		Workflow:       concurrencyWorkflow(t, "${{ shithub.ref }}", false),

+	})

+	if err != nil {

+		t.Fatalf("second Enqueue: %v", err)

+	}

+	runner, err := q.InsertRunner(ctx, f.pool, actionsdb.InsertRunnerParams{

+		Name:     "runner-block",

+		Labels:   []string{"ubuntu-latest"},

+		Capacity: 2,

+	})

+	if err != nil {

+		t.Fatalf("InsertRunner: %v", err)

+	}

+	claimed, err := q.ClaimQueuedWorkflowJob(ctx, f.pool, actionsdb.ClaimQueuedWorkflowJobParams{

+		Labels:   []string{"ubuntu-latest"},

+		RunnerID: runner.ID,

+	})

+	if err != nil {

+		t.Fatalf("first ClaimQueuedWorkflowJob: %v", err)

+	}

+	if claimed.RunID != first.RunID {

+		t.Fatalf("claimed run: got %d want first run %d", claimed.RunID, first.RunID)

+	}

+	_, err = q.ClaimQueuedWorkflowJob(ctx, f.pool, actionsdb.ClaimQueuedWorkflowJobParams{

+		Labels:   []string{"ubuntu-latest"},

+		RunnerID: runner.ID,

+	})

+	if !errors.Is(err, pgx.ErrNoRows) {

+		t.Fatalf("second claim error: got %v want pgx.ErrNoRows", err)

+	}

+	changed, err := q.RequestWorkflowRunCancel(ctx, f.pool, first.RunID)

+	if err != nil {

+		t.Fatalf("RequestWorkflowRunCancel: %v", err)

+	}

+	if len(changed) != 1 || !changed[0].CancelRequested {

+		t.Fatalf("cancel request did not release blocker: %+v", changed)

+	}

+	released, err := q.ClaimQueuedWorkflowJob(ctx, f.pool, actionsdb.ClaimQueuedWorkflowJobParams{

+		Labels:   []string{"ubuntu-latest"},

+		RunnerID: runner.ID,

+	})

+	if err != nil {

+		t.Fatalf("claim after cancel request: %v", err)

+	}

+	if released.RunID != second.RunID {

+		t.Fatalf("released claim run: got %d want second run %d", released.RunID, second.RunID)

+	}

+}

+

+	ActionsConcurrencyQueuedTotal = prometheus.NewCounter(

+		prometheus.CounterOpts{

+			Name: "shithub_actions_concurrency_queued_total",

+			Help: "Total Actions workflow runs queued behind an older active run in the same concurrency group.",

+		},

+	)

+		ActionsConcurrencyQueuedTotal,