The security/codeql-gate job polls 90 × sleep 30 on a runner while waiting for the CodeQL workflow to finish. Under a busy queue (e.g. 13 open PRs on 2026-07-03) that meant many idle gate jobs squatting on runner slots — starving the very CodeQL runs they were waiting for, a self-amplifying congestion loop.
Now that #820 fixed the lookup (server-side head_sha filter — the run is found deterministically within ~1 min of trigger), the 45-min budget is obsolete. Options, in increasing order of correctness:
- Shrink the loop (e.g. 45×20s ≈ 15 min) — trivial.
- Make the gate event-driven: a
workflow_run-triggered required check on CodeQL completion — zero polling, zero held slots.
Refs #820.
The security/codeql-gate job polls
90 × sleep 30on a runner while waiting for the CodeQL workflow to finish. Under a busy queue (e.g. 13 open PRs on 2026-07-03) that meant many idle gate jobs squatting on runner slots — starving the very CodeQL runs they were waiting for, a self-amplifying congestion loop.Now that #820 fixed the lookup (server-side head_sha filter — the run is found deterministically within ~1 min of trigger), the 45-min budget is obsolete. Options, in increasing order of correctness:
workflow_run-triggered required check on CodeQL completion — zero polling, zero held slots.Refs #820.