diff --git a/.github/workflows/benchmarks.yml b/.github/workflows/benchmarks.yml
index ae7846e..eb91542 100644
--- a/.github/workflows/benchmarks.yml
+++ b/.github/workflows/benchmarks.yml
@@ -1,5 +1,10 @@
 name: Benchmarks
 
+# Cancel superseded PR runs; protect main + scheduled runs.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
 on:
   push:
     branches: [main]
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e4a20ad..05f82d9 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,5 +1,11 @@
 name: CI
 
+# Cancel superseded PR runs; protect main + scheduled runs.
+# `head_ref || ref` keys per-PR-source-branch on PRs, falls back to ref on push.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
 on:
   push:
     branches: [main]
diff --git a/.github/workflows/compliance.yml b/.github/workflows/compliance.yml
index 2e521cd..0f1c547 100644
--- a/.github/workflows/compliance.yml
+++ b/.github/workflows/compliance.yml
@@ -1,5 +1,12 @@
 name: Compliance Report
 
+# Compliance variant: produces compliance reports / signed artifacts. Group
+# for serialization but never cancel — partially-completed compliance runs
+# leave registries / attestations in inconsistent state.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/release-npm.yml b/.github/workflows/release-npm.yml
index 8813fd9..adc0754 100644
--- a/.github/workflows/release-npm.yml
+++ b/.github/workflows/release-npm.yml
@@ -9,6 +9,13 @@ name: Release NPM
 # Platform packages MUST be published before the root package so npm can
 # resolve optionalDependencies on the first install after tag.
 
+# Release variant: serialize per-release, never cancel. A cancelled npm
+# publish run can leave platform packages published but root package
+# missing — first-install resolution would fail until manual cleanup.
+concurrency:
+  group: release-npm-${{ github.event.release.tag_name || github.event.inputs.version || github.ref }}
+  cancel-in-progress: false
+
 on:
   release:
     types: [published]
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 770f466..fa70102 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,5 +1,12 @@
 name: Release
 
+# Release variant: serialize per-tag, never cancel. A cancelled release
+# mid-publish leaves the GitHub Release page, registries, and per-target
+# binary archives in inconsistent state.
+concurrency:
+  group: release-${{ github.ref }}
+  cancel-in-progress: false
+
 on:
   push:
     tags: