From 57f5bbcec3556761d25cd95e6648a4e4d87d2f29 Mon Sep 17 00:00:00 2001
From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com>
Date: Fri, 19 Jun 2026 09:22:01 +0000
Subject: [PATCH 1/5] ci: cut Actions burn in
 .github/workflows/guix-nix-policy.yml (scope push + concurrency-cancel)

---
 .github/workflows/guix-nix-policy.yml | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/guix-nix-policy.yml b/.github/workflows/guix-nix-policy.yml
index 5812c24..278326e 100644
--- a/.github/workflows/guix-nix-policy.yml
+++ b/.github/workflows/guix-nix-policy.yml
@@ -1,6 +1,15 @@
 # SPDX-License-Identifier: MPL-2.0
 name: Guix/Nix Package Policy
-on: [push, pull_request]
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+
+# Estate guardrail: scope push to default branches (PR fires once, not
+# push+PR) and cancel superseded runs. Safe — read-only PR check.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 permissions:
   contents: read

From 3c26aecf9313fde0915d468537ca0145ac4790e3 Mon Sep 17 00:00:00 2001
From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com>
Date: Fri, 19 Jun 2026 09:22:02 +0000
Subject: [PATCH 2/5] ci: cut Actions burn in
 .github/workflows/npm-bun-blocker.yml (scope push + concurrency-cancel)

---
 .github/workflows/npm-bun-blocker.yml | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/npm-bun-blocker.yml b/.github/workflows/npm-bun-blocker.yml
index d442599..446ca68 100644
--- a/.github/workflows/npm-bun-blocker.yml
+++ b/.github/workflows/npm-bun-blocker.yml
@@ -1,6 +1,15 @@
 # SPDX-License-Identifier: MPL-2.0
 name: NPM/Bun Blocker
-on: [push, pull_request]
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+
+# Estate guardrail: scope push to default branches (PR fires once, not
+# push+PR) and cancel superseded runs. Safe — read-only PR check.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 permissions:
   contents: read

From 724610a9e8698c89a4a370554da229c6a005c1a3 Mon Sep 17 00:00:00 2001
From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com>
Date: Fri, 19 Jun 2026 09:22:03 +0000
Subject: [PATCH 3/5] ci: cut Actions burn in .github/workflows/quality.yml
 (scope push + concurrency-cancel)

---
 .github/workflows/quality.yml | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml
index a3b2a7a..0357198 100644
--- a/.github/workflows/quality.yml
+++ b/.github/workflows/quality.yml
@@ -1,6 +1,15 @@
 # SPDX-License-Identifier: MPL-2.0
 name: Code Quality
-on: [push, pull_request]
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+
+# Estate guardrail: scope push to default branches (PR fires once, not
+# push+PR) and cancel superseded runs. Safe — read-only PR check.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 
 permissions:

From 2b745a8b0e8ad2919d52a2f0ad9c2f906a645157 Mon Sep 17 00:00:00 2001
From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com>
Date: Fri, 19 Jun 2026 09:22:04 +0000
Subject: [PATCH 4/5] ci: cut Actions burn in
 .github/workflows/security-policy.yml (scope push + concurrency-cancel)

---
 .github/workflows/security-policy.yml | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/security-policy.yml b/.github/workflows/security-policy.yml
index 1ae27fd..0b4a84f 100644
--- a/.github/workflows/security-policy.yml
+++ b/.github/workflows/security-policy.yml
@@ -1,6 +1,15 @@
 # SPDX-License-Identifier: MPL-2.0
 name: Security Policy
-on: [push, pull_request]
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+
+# Estate guardrail: scope push to default branches (PR fires once, not
+# push+PR) and cancel superseded runs. Safe — read-only PR check.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 permissions:
   contents: read

From f5501ca4eaa7d0bb5b00394ef414c5a6ce617fd4 Mon Sep 17 00:00:00 2001
From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com>
Date: Fri, 19 Jun 2026 09:22:05 +0000
Subject: [PATCH 5/5] ci: cut Actions burn in .github/workflows/ts-blocker.yml
 (scope push + concurrency-cancel)

---
 .github/workflows/ts-blocker.yml | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ts-blocker.yml b/.github/workflows/ts-blocker.yml
index a363f48..7d86ee4 100644
--- a/.github/workflows/ts-blocker.yml
+++ b/.github/workflows/ts-blocker.yml
@@ -1,6 +1,15 @@
 # SPDX-License-Identifier: MPL-2.0
 name: TypeScript/JavaScript Blocker
-on: [push, pull_request]
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+
+# Estate guardrail: scope push to default branches (PR fires once, not
+# push+PR) and cancel superseded runs. Safe — read-only PR check.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 permissions:
   contents: read