diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6dcb525a..d5d2eb7b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,12 +6,7 @@ on:
   pull_request:
     branches: [main, staging]
 
-# Cancel in-progress CI runs when a new commit arrives on the same ref.
-# This prevents multiple stale runs from queuing behind each other and
-# monopolising the self-hosted macOS arm64 runner.
-concurrency:
-  group: ci-${{ github.ref }}
-  cancel-in-progress: true
+e4a62e1 (ci: add workflow-level concurrency to ci.yml and codeql.yml)
 
 jobs:
   # Detect which paths changed so downstream jobs can skip when only
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 02989b4d..a57f1d86 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -23,6 +23,13 @@ on:
     # Weekly run picks up findings in code that hasn't been touched.
     - cron: '30 1 * * 0'
 
+# Workflow-level concurrency: only one CodeQL run per branch/PR at a time.
+# `cancel-in-progress: false` queues new runs — the 45-min analysis is the
+# longest CI occupant and fights the single mac mini runner the hardest.
+concurrency:
+  group: codeql-${{ github.ref }}
+  cancel-in-progress: false
+
 permissions:
   actions: read
   contents: read