6 changed files with 76 additions and 0 deletions
@@ -27,6 +27,16 @@ on:
  push:
    branches: [main, staging]

+# Auto-cancel superseded runs — runner-queue retrigger-storm root fix.
+# Per-PR-number / per-ref scoped (NOT global, NOT per-SHA) so superseded
+# runs cancel without touching sibling PRs or sibling workflows. Safe to
+# cancel-in-progress: not an auto-promote-staging gate input and not a
+# branch-protection required context. Full rationale + memory citation
+# (feedback_concurrency_group_per_sha) in secret-scan.yml.
+concurrency:
+  group: ${{ github.repository }}-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 env:
  GITHUB_SERVER_URL: https://git.moleculesai.app

@@ -36,6 +36,15 @@ on:
      - .gitea/workflows/publish-runtime.yml
      - scripts/check-cascade-list-vs-manifest.sh

+# Auto-cancel superseded runs — runner-queue retrigger-storm root fix.
+# pull_request-only + per-PR-number / per-ref scoped (NOT global, NOT
+# per-SHA). Safe to cancel-in-progress: not an auto-promote-staging gate
+# input and not a branch-protection required context. Full rationale
+# + memory citation (feedback_concurrency_group_per_sha) in secret-scan.yml.
+concurrency:
+  group: ${{ github.repository }}-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 env:
  GITHUB_SERVER_URL: https://git.moleculesai.app

@@ -30,6 +30,15 @@ on:
      - 'scripts/ops/check_migration_collisions.py'
      - '.gitea/workflows/check-migration-collisions.yml'

+# Auto-cancel superseded runs — runner-queue retrigger-storm root fix.
+# pull_request-only + per-PR-number / per-ref scoped (NOT global, NOT
+# per-SHA). Safe to cancel-in-progress: not an auto-promote-staging gate
+# input and not a branch-protection required context. Full rationale
+# + memory citation (feedback_concurrency_group_per_sha) in secret-scan.yml.
+concurrency:
+  group: ${{ github.repository }}-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 env:
  GITHUB_SERVER_URL: https://git.moleculesai.app

@@ -41,6 +41,17 @@ on:
      - '.gitea/scripts/lint-curl-status-capture.py'
      - 'tests/test_lint_curl_status_capture.py'

+# Auto-cancel superseded runs — runner-queue retrigger-storm root fix.
+# Per-PR-number / per-ref scoped (NOT global, NOT per-SHA) so superseded
+# runs cancel without touching sibling PRs or sibling workflows. Safe to
+# cancel-in-progress: path-filtered but NOT an auto-promote-staging gate
+# input and NOT a branch-protection required context (per-ref scoping
+# keeps staging/main pushes in distinct groups regardless). Full rationale
+# + memory citation (feedback_concurrency_group_per_sha) in secret-scan.yml.
+concurrency:
+  group: ${{ github.repository }}-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 env:
  GITHUB_SERVER_URL: https://git.moleculesai.app

@@ -43,6 +43,16 @@ on:
      - '.gitea/scripts/lint-workflow-yaml.py'
      - 'tests/test_lint_workflow_yaml.py'

+# Auto-cancel superseded runs — runner-queue retrigger-storm root fix.
+# Per-PR-number / per-ref scoped (NOT global, NOT per-SHA) so superseded
+# runs cancel without touching sibling PRs or sibling workflows. Safe to
+# cancel-in-progress: path-filtered but NOT an auto-promote-staging gate
+# input and NOT a branch-protection required context. Full rationale
+# + memory citation (feedback_concurrency_group_per_sha) in secret-scan.yml.
+concurrency:
+  group: ${{ github.repository }}-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 # Belt-and-suspenders against runner default
 # (feedback_act_runner_github_server_url).
 env:
@@ -26,6 +26,33 @@ on:
  push:
    branches: [main, staging]

+# Auto-cancel superseded runs (runner-queue retrigger-storm root fix).
+# A PR-fight push / empty-commit rerun (the only 1.22.6 rerun mechanism)
+# otherwise spawns a fresh run that never cancels, piling thousands of
+# dead-SHA jobs on the act_runner queue (2026-05-15 storm: molecule-core
+# was 95% of a 1290-job queue; this workflow had no concurrency block).
+#
+# Grouping key rationale (per saved memory feedback_concurrency_group_per_sha):
+#   - per-PR-number / per-ref scoped, NOT global: PR#A's runs never cancel
+#     PR#B's runs, and a staging push never collides with a main push
+#     (github.ref differs). NOT too broad.
+#   - includes github.workflow: this workflow superseding itself does not
+#     cancel an unrelated sibling workflow's run.
+#   - NOT per-SHA: a per-SHA group makes every commit its own group so
+#     nothing ever cancels — that defeats the storm fix entirely.
+#   - cancel-in-progress: true is SAFE here: secret-scan is NOT an
+#     auto-promote-staging gate input (gate-check-v3 / e2e-* are; this is
+#     not), and it is NOT a branch-protection required context — molecule-core
+#     protection requires only `CI / all-required` + `sop-checklist /
+#     all-items-acked`, both of which already carry correct per-ref
+#     cancel-in-progress concurrency. Branch protection evaluates the
+#     LATEST commit SHA, whose run always completes (only superseded
+#     older-SHA runs are cancelled), so the gate still resolves terminally.
+# Same group expression already used by sop-checklist.yml / sop-tier-check.yml.
+concurrency:
+  group: ${{ github.repository }}-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
  scan:
    name: Scan diff for credential-shaped strings