Improve GitHub Actions workflow metadata and concurrency settings (#163117)

.github/workflows/builder.yml

@@ -20,13 +20,17 @@ env:
 
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   init:
     name: Initialize build
     if: github.repository_owner == 'home-assistant'
     runs-on: ubuntu-latest
     permissions:
-      contents: read
+      contents: read # To check out the repository
     outputs:
       version: ${{ steps.version.outputs.version }}
       channel: ${{ steps.version.outputs.channel }}
@@ -88,9 +92,9 @@ jobs:
     needs: init
     runs-on: ${{ matrix.os }}
     permissions:
-      contents: read
-      packages: write
-      id-token: write
+      contents: read # To check out the repository
+      packages: write # To push to GHCR
+      id-token: write # For cosign signing
     strategy:
       fail-fast: false
       matrix:
@@ -270,9 +274,9 @@ jobs:
     needs: ["init", "build_base"]
     runs-on: ubuntu-latest
     permissions:
-      contents: read
-      packages: write
-      id-token: write
+      contents: read # To check out the repository
+      packages: write # To push to GHCR
+      id-token: write # For cosign signing
     strategy:
       matrix:
         machine:
@@ -372,9 +376,9 @@ jobs:
     needs: ["init", "build_base"]
     runs-on: ubuntu-latest
     permissions:
-      contents: read
-      packages: write
-      id-token: write
+      contents: read # To check out the repository
+      packages: write # To push to GHCR
+      id-token: write # For cosign signing
     strategy:
       fail-fast: false
       matrix:
@@ -509,8 +513,8 @@ jobs:
     needs: ["init", "build_base"]
     runs-on: ubuntu-latest
     permissions:
-      contents: read
-      id-token: write
+      contents: read # To check out the repository
+      id-token: write # For PyPI trusted publishing
     if: github.repository_owner == 'home-assistant' && needs.init.outputs.publish == 'true'
     steps:
       - name: Checkout the repository
@@ -550,10 +554,10 @@ jobs:
     name: Build and test hassfest image
     runs-on: ubuntu-latest
     permissions:
-      contents: read
-      packages: write
-      attestations: write
-      id-token: write
+      contents: read # To check out the repository
+      packages: write # To push to GHCR
+      attestations: write # For build provenance attestation
+      id-token: write # For build provenance attestation
     needs: ["init"]
     if: github.repository_owner == 'home-assistant'
     env:

.github/workflows/ci.yaml

@@ -78,8 +78,8 @@ jobs:
     name: Collect information & changes data
     runs-on: ubuntu-24.04
     permissions:
-      contents: read
-      pull-requests: read
+      contents: read # To check out the repository
+      pull-requests: read # For paths-filter to detect changed files
     outputs:
       # In case of issues with the partial run, use the following line instead:
       # test_full_suite: 'true'
@@ -1561,7 +1561,7 @@ jobs:
       - pytest-mariadb
     timeout-minutes: 10
     permissions:
-      id-token: write
+      id-token: write # For Codecov OIDC upload
     # codecov/test-results-action currently doesn't support tokenless uploads
     # therefore we can't run it on forks
     if: |

.github/workflows/codeql.yml

@@ -17,9 +17,9 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 360
     permissions:
-      actions: read
-      contents: read
-      security-events: write
+      actions: read # To read workflow information for CodeQL
+      contents: read # To check out the repository
+      security-events: write # To upload CodeQL results
 
     steps:
       - name: Check out code from GitHub

.github/workflows/detect-duplicate-issues.yml

@@ -7,12 +7,16 @@ on:
 
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.issue.number }}
+
 jobs:
   detect-duplicates:
+    name: Detect duplicate issues
     runs-on: ubuntu-latest
     permissions:
-      issues: write
-      models: read
+      issues: write # To comment on and label issues
+      models: read # For AI-based duplicate detection
 
     steps:
       - name: Check if integration label was added and extract details

.github/workflows/detect-non-english-issues.yml

@@ -7,12 +7,16 @@ on:
 
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.issue.number }}
+
 jobs:
   detect-language:
+    name: Detect non-English issues
     runs-on: ubuntu-latest
     permissions:
-      issues: write
-      models: read
+      issues: write # To comment on, label, and close issues
+      models: read # For AI-based language detection
 
     steps:
       - name: Check issue language

.github/workflows/lock.yml

@@ -7,13 +7,18 @@ on:
 
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: true
+
 jobs:
   lock:
+    name: Lock inactive threads
     if: github.repository_owner == 'home-assistant'
     runs-on: ubuntu-latest
     permissions:
-      issues: write
-      pull-requests: write
+      issues: write # To lock issues
+      pull-requests: write # To lock pull requests
     steps:
       - uses: dessant/lock-threads@7266a7ce5c1df01b1c6db85bf8cd86c737dadbe7 # v6.0.0
         with:

.github/workflows/restrict-task-creation.yml

@@ -7,11 +7,15 @@ on:
 
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.issue.number }}
+
 jobs:
   add-no-stale:
+    name: Add no-stale label
     runs-on: ubuntu-latest
     permissions:
-      issues: write
+      issues: write # To add labels to issues
     if: >-
       github.event.issue.type.name == 'Task'
       || github.event.issue.type.name == 'Epic'
@@ -29,10 +33,11 @@ jobs:
             });
 
   check-authorization:
+    name: Check authorization
     runs-on: ubuntu-latest
     permissions:
-      contents: read
-      issues: write
+      contents: read # To read CODEOWNERS file
+      issues: write # To comment on, label, and close issues
     # Only run if this is a Task issue type (from the issue form)
     if: github.event.issue.type.name == 'Task'
     steps:

.github/workflows/stale.yml

@@ -8,13 +8,18 @@ on:
 
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: true
+
 jobs:
   stale:
+    name: Mark stale issues and PRs
     if: github.repository_owner == 'home-assistant'
     runs-on: ubuntu-latest
     permissions:
-      issues: write
-      pull-requests: write
+      issues: write # To label and close stale issues
+      pull-requests: write # To label and close stale PRs
     steps:
       # The 60 day stale policy for PRs
       # Used for:

.github/workflows/translations.yml

@@ -11,6 +11,10 @@ on:
 
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: true
+
 env:
   DEFAULT_PYTHON: "3.14.2"