fix(ci): add top-level permissions and concurrency to workflows

[Jefsky]

Summary

Adds missing permissions and concurrency blocks to GitHub Actions workflows, addressing:

• Add explicit permissions to 10 GitHub Actions workflows #11026 — Add explicit permissions to 10 GitHub Actions workflows
• Add concurrency control to 23 GitHub Actions workflows #11027 — Add concurrency control to 23 GitHub Actions workflows

Changes by category

Read-only permissions + concurrency:

• ci-json-validation, ci-python-validation, ci-shell-validation, ci-yaml-validation
• ci-tests-storybook, model-page-discovery

Write permissions + concurrency:

• api-update-electron-api-types, api-update-manager-api-types
• i18n-update-core, i18n-update-custom-nodes, i18n-update-nodes

Concurrency only — cancel=false (release/deploy):

• release-biweekly-comfyui, release-branch-create, release-draft-create
• release-pypi-dev, version-bump-desktop-ui, publish-desktop-ui-on-merge

Concurrency only — cancel=true:

• cloud-backport-tag, cloud-dispatch-cleanup, pr-request-team-review

Many workflows already had these blocks — the audit flagged all ~50 but most were already compliant. Only the truly missing workflows were updated.

┆Issue is synchronized with this Notion page by Unito

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR systematically adds GitHub Actions workflow security and concurrency controls across 18 workflows. Write-enabled workflows receive explicit permissions for contents and pull-requests, CI validation workflows receive read-only content permissions, and cloud/release workflows receive concurrency configuration to prevent overlapping executions or preserve in-flight releases.

Changes

Workflow Security and Concurrency Controls

Layer / File(s)	Summary
Write-enabled workflows: permissions and concurrency .github/workflows/api-update-electron-api-types.yaml, .github/workflows/api-update-manager-api-types.yaml, .github/workflows/i18n-update-core.yaml, .github/workflows/i18n-update-custom-nodes.yaml, .github/workflows/i18n-update-nodes.yaml	Five workflows that create or modify repository content receive explicit permissions for contents: write and pull-requests: write, along with concurrency groups keyed by ${{ github.workflow }}-${{ github.ref }} with cancel-in-progress: true to prevent concurrent executions.
CI validation workflows: read permissions and concurrency .github/workflows/ci-json-validation.yaml, .github/workflows/ci-python-validation.yaml, .github/workflows/ci-shell-validation.yaml, .github/workflows/ci-yaml-validation.yaml, .github/workflows/ci-tests-storybook.yaml, .github/workflows/model-page-discovery.yaml	Six CI validation workflows receive permissions: { contents: read } and concurrency configuration grouping by workflow/ref with cancel-in-progress: true (ci-tests-storybook includes concurrency without an explicit permissions block).
Cloud and release workflows: concurrency control .github/workflows/pr-request-team-review.yaml, .github/workflows/cloud-backport-tag.yaml, .github/workflows/cloud-dispatch-cleanup.yaml, .github/workflows/publish-desktop-ui-on-merge.yaml, .github/workflows/release-biweekly-comfyui.yaml, .github/workflows/release-branch-create.yaml, .github/workflows/release-draft-create.yaml, .github/workflows/release-pypi-dev.yaml, .github/workflows/version-bump-desktop-ui.yaml	Seven cloud and release workflows receive concurrency blocks keyed by workflow and ref, with cancel-in-progress: true for user-facing pr-request-team-review and cancel-in-progress: false for release automation to avoid interrupting in-flight deployments.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐇 Workflows secure, concurrency tamed,
Permissions explicit, each action named,
No duplication on every ref,
Release runs safe, PR tasks deft! ✨

🚥 Pre-merge checks | ✅ 7

✅ Passed checks (7 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding permissions and concurrency blocks to GitHub Actions workflows, which matches the actual changes across 19 workflow files.
Description check	✅ Passed	The description provides a clear summary of changes, categorizes affected workflows by permission type and concurrency behavior, and addresses two specific issues (#11026, #11027). While the description template requests a 'Changes' section, the PR description uses a superior categorized approach that is more informative and detailed.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
End-To-End Regression Coverage For Fixes	✅ Passed	PR modifies only GitHub Actions workflow files under .github/workflows/. The custom check explicitly exempts CI process changes from end-to-end regression test requirements.
Adr Compliance For Entity/Litegraph Changes	✅ Passed	Check not applicable: PR only modifies GitHub Actions workflow files in .github/workflows/, not files under src/lib/litegraph/, src/ecs/, or graph entity-related paths.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🎨 Storybook: Building...

[github-actions]

🎭 Playwright: ⏳ Running...

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/version-bump-desktop-ui.yaml (1)

23-25: Verify concurrency behavior for different input branches.

The concurrency group ${{ github.workflow }}-${{ github.ref }} serializes all manual triggers of this workflow from the same ref, regardless of the branch input. If a user triggers a version bump for core/1.29 and another triggers a bump for core/1.30, the second will wait for the first to complete.

If concurrent version bumps for different target branches are desired, consider including the input parameter in the group:

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event.inputs.branch }}
  cancel-in-progress: false

If serializing all version bumps is intentional for controlled sequential execution, the current implementation is correct.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/version-bump-desktop-ui.yaml around lines 23 - 25, The
concurrency group currently uses `${{ github.workflow }}-${{ github.ref }}`
which serializes all manual runs on the same ref regardless of the workflow
input `branch`; update the concurrency `group` to include the input parameter
(e.g., append `${{ github.event.inputs.branch }}`) so runs targeting different
branches (like `core/1.29` vs `core/1.30`) can run concurrently, or leave it
as-is if intentional serial execution is desired—change the `concurrency.group`
value accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci-tests-storybook.yaml:
- Around line 10-12: Add a workflow-level permissions baseline by declaring a
top-level "permissions: contents: read" in the workflow YAML so the workflow no
longer inherits broader repository GITHUB_TOKEN scopes; keep the existing
job-level permission overrides for the PR-comment-related jobs (e.g.,
storybook-build, chromatic-deployment, deploy-production) intact to maintain
their specific privileges while enforcing least-privilege for the whole workflow
that currently contains the "concurrency" block with "group" and
"cancel-in-progress".

---

Nitpick comments:
In @.github/workflows/version-bump-desktop-ui.yaml:
- Around line 23-25: The concurrency group currently uses `${{ github.workflow
}}-${{ github.ref }}` which serializes all manual runs on the same ref
regardless of the workflow input `branch`; update the concurrency `group` to
include the input parameter (e.g., append `${{ github.event.inputs.branch }}`)
so runs targeting different branches (like `core/1.29` vs `core/1.30`) can run
concurrently, or leave it as-is if intentional serial execution is
desired—change the `concurrency.group` value accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ccd455c8-eb17-4ef7-9f2f-b17238bfdc8c

📥 Commits

Reviewing files that changed from the base of the PR and between d955625 and 9e11b64.

📒 Files selected for processing (20)

• .github/workflows/api-update-electron-api-types.yaml
• .github/workflows/api-update-manager-api-types.yaml
• .github/workflows/ci-json-validation.yaml
• .github/workflows/ci-python-validation.yaml
• .github/workflows/ci-shell-validation.yaml
• .github/workflows/ci-tests-storybook.yaml
• .github/workflows/ci-yaml-validation.yaml
• .github/workflows/cloud-backport-tag.yaml
• .github/workflows/cloud-dispatch-cleanup.yaml
• .github/workflows/i18n-update-core.yaml
• .github/workflows/i18n-update-custom-nodes.yaml
• .github/workflows/i18n-update-nodes.yaml
• .github/workflows/model-page-discovery.yaml
• .github/workflows/pr-request-team-review.yaml
• .github/workflows/publish-desktop-ui-on-merge.yaml
• .github/workflows/release-biweekly-comfyui.yaml
• .github/workflows/release-branch-create.yaml
• .github/workflows/release-draft-create.yaml
• .github/workflows/release-pypi-dev.yaml
• .github/workflows/version-bump-desktop-ui.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add an explicit workflow-level permission baseline.

This workflow still leaves storybook-build, chromatic-deployment, and deploy-production on the repository default GITHUB_TOKEN scopes. That undercuts the least-privilege hardening this PR is applying elsewhere. Add a top-level permissions: contents: read here and keep the existing job-level overrides for the PR-comment jobs.

Suggested patch

+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}
	cancel-in-progress: true
	permissions:
	contents: read
	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}
	cancel-in-progress: true

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci-tests-storybook.yaml around lines 10 - 12, Add a
workflow-level permissions baseline by declaring a top-level "permissions:
contents: read" in the workflow YAML so the workflow no longer inherits broader
repository GITHUB_TOKEN scopes; keep the existing job-level permission overrides
for the PR-comment-related jobs (e.g., storybook-build, chromatic-deployment,
deploy-production) intact to maintain their specific privileges while enforcing
least-privilege for the whole workflow that currently contains the "concurrency"
block with "group" and "cancel-in-progress".