From f064e84c5d8143444343ce1966296ca4538109ad Mon Sep 17 00:00:00 2001
From: Michael Hucka <mhucka@google.com>
Date: Mon, 3 Mar 2025 16:18:26 -0800
Subject: [PATCH] Add additional GHA settings

This adds some miscellaneous settings:

- Set workflow default permissions as read-only (per security best
  practices)
- Support merge queues
- Support manual invocation (for debugging)
- Make it so that starting another run of this workflow will cancel
  any ongoing runs for the same PR or branch (e.g., because a new push
  happened while the workflow is still running from a previous push)
---
 .github/workflows/ci.yml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6c50a8af..f78030e9 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -13,6 +13,7 @@
 # limitations under the License.
 
 name: ci
+
 on:
   push:
     branches:
@@ -22,6 +23,21 @@ on:
   pull_request:
     branches:
       - main
+  # Support merge queues.
+  merge_group:
+    types:
+      - checks_requested
+  # Allow manual invocation – useful for debugging.
+  workflow_dispatch:
+
+# Cancel any previously-started but still active runs on the same branch.
+concurrency:
+  cancel-in-progress: true
+  group: ${{github.workflow}}-${{github.event.pull_request.number||github.ref}}
+
+# Declare default permissions as read-only.
+permissions: read-all
+
 jobs:
   build_dist:
     runs-on: ${{ matrix.os_dist.os }}