From ae307cd6a904c881227924eac174daf87518e513 Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Fri, 19 Jun 2026 09:20:37 +0000 Subject: [PATCH 1/4] ci: cut Actions burn in .github/workflows/guix-nix-policy.yml (scope push + concurrency-cancel) --- .github/workflows/guix-nix-policy.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/guix-nix-policy.yml b/.github/workflows/guix-nix-policy.yml index a4c6b42..1cc2535 100644 --- a/.github/workflows/guix-nix-policy.yml +++ b/.github/workflows/guix-nix-policy.yml @@ -1,6 +1,15 @@ # SPDX-License-Identifier: MPL-2.0 name: Guix/Nix Package Policy -on: [push, pull_request] +on: + push: + branches: [main, master] + pull_request: + +# Estate guardrail: scope push to default branches (PR fires once, not +# push+PR) and cancel superseded runs. Safe — read-only PR check. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true permissions: contents: read jobs: From 501b8226c5dbba69a17aedf31518fe1fb65a68e6 Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Fri, 19 Jun 2026 09:20:38 +0000 Subject: [PATCH 2/4] ci: cut Actions burn in .github/workflows/npm-bun-blocker.yml (scope push + concurrency-cancel) --- .github/workflows/npm-bun-blocker.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/npm-bun-blocker.yml b/.github/workflows/npm-bun-blocker.yml index c455836..4286b60 100644 --- a/.github/workflows/npm-bun-blocker.yml +++ b/.github/workflows/npm-bun-blocker.yml @@ -1,6 +1,15 @@ # SPDX-License-Identifier: MPL-2.0 name: NPM/Bun Blocker -on: [push, pull_request] +on: + push: + branches: [main, master] + pull_request: + +# Estate guardrail: scope push to default branches (PR fires once, not +# push+PR) and cancel superseded runs. Safe — read-only PR check. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true permissions: contents: read jobs: From da1513811024087c26bea27c6cc14f4fb9f0df09 Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Fri, 19 Jun 2026 09:20:40 +0000 Subject: [PATCH 3/4] ci: cut Actions burn in .github/workflows/security-policy.yml (scope push + concurrency-cancel) --- .github/workflows/security-policy.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/security-policy.yml b/.github/workflows/security-policy.yml index 67d88ef..fc4daaa 100644 --- a/.github/workflows/security-policy.yml +++ b/.github/workflows/security-policy.yml @@ -1,6 +1,15 @@ # SPDX-License-Identifier: MPL-2.0 name: Security Policy -on: [push, pull_request] +on: + push: + branches: [main, master] + pull_request: + +# Estate guardrail: scope push to default branches (PR fires once, not +# push+PR) and cancel superseded runs. Safe — read-only PR check. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true permissions: contents: read jobs: From 4f3261b2948bc6a86135d7408e3c10112bcd6383 Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Fri, 19 Jun 2026 09:20:41 +0000 Subject: [PATCH 4/4] ci: cut Actions burn in .github/workflows/ts-blocker.yml (scope push + concurrency-cancel) --- .github/workflows/ts-blocker.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ts-blocker.yml b/.github/workflows/ts-blocker.yml index b5279d8..5808823 100644 --- a/.github/workflows/ts-blocker.yml +++ b/.github/workflows/ts-blocker.yml @@ -1,6 +1,15 @@ # SPDX-License-Identifier: MPL-2.0 name: TypeScript/JavaScript Blocker -on: [push, pull_request] +on: + push: + branches: [main, master] + pull_request: + +# Estate guardrail: scope push to default branches (PR fires once, not +# push+PR) and cancel superseded runs. Safe — read-only PR check. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true permissions: contents: read jobs: