From d9b58dbfffaf08271db998c80c49f6f7b244b7c8 Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Fri, 19 Jun 2026 09:21:20 +0000 Subject: [PATCH 1/4] ci: cut Actions burn in .github/workflows/container-policy.yml (scope push + concurrency-cancel) --- .github/workflows/container-policy.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/container-policy.yml b/.github/workflows/container-policy.yml index 28207e3..582dba9 100644 --- a/.github/workflows/container-policy.yml +++ b/.github/workflows/container-policy.yml @@ -1,6 +1,15 @@ # SPDX-License-Identifier: AGPL-3.0-or-later name: Container Policy -on: [push, pull_request] +on: + push: + branches: [main, master] + pull_request: + +# Estate guardrail: scope push to default branches (PR fires once, not +# push+PR) and cancel superseded runs. Safe — read-only PR check. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true permissions: read-all From 9a34648301ed48bde58cccbbf1f4c9683384875d Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Fri, 19 Jun 2026 09:21:21 +0000 Subject: [PATCH 2/4] ci: cut Actions burn in .github/workflows/guix-nix-policy.yml (scope push + concurrency-cancel) --- .github/workflows/guix-nix-policy.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/guix-nix-policy.yml b/.github/workflows/guix-nix-policy.yml index 3a27f56..3f7b334 100644 --- a/.github/workflows/guix-nix-policy.yml +++ b/.github/workflows/guix-nix-policy.yml @@ -1,6 +1,15 @@ # SPDX-License-Identifier: AGPL-3.0-or-later name: Guix/Nix Package Policy -on: [push, pull_request] +on: + push: + branches: [main, master] + pull_request: + +# Estate guardrail: scope push to default branches (PR fires once, not +# push+PR) and cancel superseded runs. Safe — read-only PR check. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true permissions: read-all From 4562db9fa569dcf92c48f12446558fac1a37b296 Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Fri, 19 Jun 2026 09:21:22 +0000 Subject: [PATCH 3/4] ci: cut Actions burn in .github/workflows/quality.yml (scope push + concurrency-cancel) --- .github/workflows/quality.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml index 68972c5..4898668 100644 --- a/.github/workflows/quality.yml +++ b/.github/workflows/quality.yml @@ -1,6 +1,15 @@ # SPDX-License-Identifier: AGPL-3.0-or-later name: Code Quality -on: [push, pull_request] +on: + push: + branches: [main, master] + pull_request: + +# Estate guardrail: scope push to default branches (PR fires once, not +# push+PR) and cancel superseded runs. Safe — read-only PR check. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true permissions: read-all From 181e58578637115d65fdd254025e5ede20331628 Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Fri, 19 Jun 2026 09:21:23 +0000 Subject: [PATCH 4/4] ci: cut Actions burn in .github/workflows/security-policy.yml (scope push + concurrency-cancel) --- .github/workflows/security-policy.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/security-policy.yml b/.github/workflows/security-policy.yml index be11d4b..2e0044b 100644 --- a/.github/workflows/security-policy.yml +++ b/.github/workflows/security-policy.yml @@ -1,6 +1,15 @@ # SPDX-License-Identifier: AGPL-3.0-or-later name: Security Policy -on: [push, pull_request] +on: + push: + branches: [main, master] + pull_request: + +# Estate guardrail: scope push to default branches (PR fires once, not +# push+PR) and cancel superseded runs. Safe — read-only PR check. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true permissions: read-all