From 50284fad2ac6554263d6aff753766af9716d8289 Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Mon, 18 May 2026 10:09:35 +0100
Subject: [PATCH] harden(ci): estate-wide concurrency-cancel guard + scope
 affinescript-verify push
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Root-cause fix for the shared account-wide Actions concurrency-pool
exhaustion (public repos => free unlimited minutes; the constraint is
concurrent-job slots, not spend). Canonical templates here propagate
estate-wide via the template/sweep tooling.

- Add concurrency{group, cancel-in-progress:true} to 10 read-only check
  templates that lacked it: scorecard, scorecard-enforcer, governance,
  codeql, language-policy, makefile-blocker, secret-scanner, doc-format,
  echidna-verify, affinescript-verify. Read-only (no publish/mutation),
  so cancelling a superseded run is always safe.
- affinescript-verify.yml: scope push from all-branches ([push]) to
  [main, master]; pull_request still covers feature branches. This was
  the estate-wide twin of the agda.yml '**'-push storm (full verify on
  every WIP push in every AffineScript consumer repo). Zero coverage lost.
- Left untouched: mirror / instant-sync / boj-build (publish/sync/build
  — mid-cancel unsafe); hypatia-scan / casket-pages (already guarded).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/affinescript-verify.yml | 18 +++++++++++++++++-
 .github/workflows/codeql.yml              |  8 ++++++++
 .github/workflows/doc-format.yml          |  8 ++++++++
 .github/workflows/echidna-verify.yml      |  8 ++++++++
 .github/workflows/governance.yml          |  8 ++++++++
 .github/workflows/language-policy.yml     |  8 ++++++++
 .github/workflows/makefile-blocker.yml    |  8 ++++++++
 .github/workflows/scorecard-enforcer.yml  |  8 ++++++++
 .github/workflows/scorecard.yml           |  8 ++++++++
 .github/workflows/secret-scanner.yml      | 10 +++++++++-
 10 files changed, 90 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/affinescript-verify.yml b/.github/workflows/affinescript-verify.yml
index 9b186f88..800f88e2 100644
--- a/.github/workflows/affinescript-verify.yml
+++ b/.github/workflows/affinescript-verify.yml
@@ -1,6 +1,22 @@
 # SPDX-License-Identifier: PMPL-1.0-or-later
 name: AffineScript Verify
-on: [push, pull_request]
+# Direct pushes only on integration branches. Feature-branch validation
+# is fully covered by pull_request — running a full AffineScript verify
+# on every WIP push to every branch in every consumer repo was a dominant
+# estate-wide drain on the shared Actions concurrency pool. No coverage
+# is lost: PRs and post-merge main/master still verify.
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+
+# Estate guardrail: cancel superseded runs so re-pushes / rebased PR
+# updates do not pile up queued runs against the shared account-wide
+# Actions concurrency pool. Applied only to read-only check workflows
+# (no publish/mutation), so cancelling a superseded run is always safe.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 permissions:
   contents: read
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 300f8ad7..9e32d156 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -9,6 +9,14 @@ on:
   schedule:
     - cron: '0 6 * * 1'
 
+# Estate guardrail: cancel superseded runs so re-pushes / rebased PR
+# updates do not pile up queued runs against the shared account-wide
+# Actions concurrency pool. Applied only to read-only check workflows
+# (no publish/mutation), so cancelling a superseded run is always safe.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
diff --git a/.github/workflows/doc-format.yml b/.github/workflows/doc-format.yml
index 89fe3079..d9ba93b8 100644
--- a/.github/workflows/doc-format.yml
+++ b/.github/workflows/doc-format.yml
@@ -7,6 +7,14 @@ on:
   pull_request:
     branches: [main, master]
 
+# Estate guardrail: cancel superseded runs so re-pushes / rebased PR
+# updates do not pile up queued runs against the shared account-wide
+# Actions concurrency pool. Applied only to read-only check workflows
+# (no publish/mutation), so cancelling a superseded run is always safe.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
diff --git a/.github/workflows/echidna-verify.yml b/.github/workflows/echidna-verify.yml
index ed4de5b4..9c9140b5 100644
--- a/.github/workflows/echidna-verify.yml
+++ b/.github/workflows/echidna-verify.yml
@@ -29,6 +29,14 @@ on:
     - cron: '0 6 * * 1'
   workflow_dispatch:
 
+# Estate guardrail: cancel superseded runs so re-pushes / rebased PR
+# updates do not pile up queued runs against the shared account-wide
+# Actions concurrency pool. Applied only to read-only check workflows
+# (no publish/mutation), so cancelling a superseded run is always safe.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
diff --git a/.github/workflows/governance.yml b/.github/workflows/governance.yml
index 76bd1a0e..4bb50e9a 100644
--- a/.github/workflows/governance.yml
+++ b/.github/workflows/governance.yml
@@ -18,6 +18,14 @@ on:
   pull_request:
   workflow_dispatch:
 
+# Estate guardrail: cancel superseded runs so re-pushes / rebased PR
+# updates do not pile up queued runs against the shared account-wide
+# Actions concurrency pool. Applied only to read-only check workflows
+# (no publish/mutation), so cancelling a superseded run is always safe.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
diff --git a/.github/workflows/language-policy.yml b/.github/workflows/language-policy.yml
index cf8356bf..de162ca4 100644
--- a/.github/workflows/language-policy.yml
+++ b/.github/workflows/language-policy.yml
@@ -7,6 +7,14 @@ on:
   pull_request:
     branches: [main, master]
 
+# Estate guardrail: cancel superseded runs so re-pushes / rebased PR
+# updates do not pile up queued runs against the shared account-wide
+# Actions concurrency pool. Applied only to read-only check workflows
+# (no publish/mutation), so cancelling a superseded run is always safe.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
diff --git a/.github/workflows/makefile-blocker.yml b/.github/workflows/makefile-blocker.yml
index 387cfdcc..4763e6b1 100644
--- a/.github/workflows/makefile-blocker.yml
+++ b/.github/workflows/makefile-blocker.yml
@@ -13,6 +13,14 @@ on:
       - '**/Makefile.*'
       - '**/*.mk'
 
+# Estate guardrail: cancel superseded runs so re-pushes / rebased PR
+# updates do not pile up queued runs against the shared account-wide
+# Actions concurrency pool. Applied only to read-only check workflows
+# (no publish/mutation), so cancelling a superseded run is always safe.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
diff --git a/.github/workflows/scorecard-enforcer.yml b/.github/workflows/scorecard-enforcer.yml
index e686bf7d..04206c0f 100644
--- a/.github/workflows/scorecard-enforcer.yml
+++ b/.github/workflows/scorecard-enforcer.yml
@@ -9,6 +9,14 @@ on:
     - cron: '0 6 * * 1'  # Weekly on Monday
   workflow_dispatch:
 
+# Estate guardrail: cancel superseded runs so re-pushes / rebased PR
+# updates do not pile up queued runs against the shared account-wide
+# Actions concurrency pool. Applied only to read-only check workflows
+# (no publish/mutation), so cancelling a superseded run is always safe.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 1048def8..29853b20 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -7,6 +7,14 @@ on:
     - cron: '0 4 * * *'
   workflow_dispatch:
 
+# Estate guardrail: cancel superseded runs so re-pushes / rebased PR
+# updates do not pile up queued runs against the shared account-wide
+# Actions concurrency pool. Applied only to read-only check workflows
+# (no publish/mutation), so cancelling a superseded run is always safe.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
diff --git a/.github/workflows/secret-scanner.yml b/.github/workflows/secret-scanner.yml
index 15b442fb..8801d536 100644
--- a/.github/workflows/secret-scanner.yml
+++ b/.github/workflows/secret-scanner.yml
@@ -7,6 +7,14 @@ on:
   push:
     branches: [main]
 
+# Estate guardrail: cancel superseded runs so re-pushes / rebased PR
+# updates do not pile up queued runs against the shared account-wide
+# Actions concurrency pool. Applied only to read-only check workflows
+# (no publish/mutation), so cancelling a superseded run is always safe.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
@@ -70,4 +78,4 @@ jobs:
           if [ $found -eq 1 ]; then
             echo "::error::Potential hardcoded secrets detected. Use environment variables instead."
             exit 1
-          fi
\ No newline at end of file
+          fi