diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 848459b..30ba57d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -3,9 +3,20 @@ on:
   pull_request:
     branches:
       - main
+    paths-ignore:
+      - "**/*.md"
+      - "docs/**"
   push:
     branches:
       - main
+    paths-ignore:
+      - "**/*.md"
+      - "docs/**"
+
+# PRs share a concurrency group (cancel/serialize); Pushes use unique groups to avoid cancellation/queuing
+concurrency:
+  group: ${{ github.workflow }}-${{ (github.event_name == 'pull_request' && github.ref) || github.run_id }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
 permissions:
   contents: read
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 68df131..8a53afd 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -14,8 +14,19 @@ name: "CodeQL"
 on:
   push:
     branches: ["main"]
+    paths-ignore:
+      - "**/*.md"
+      - "docs/**"
   pull_request:
     branches: ["main"]
+    paths-ignore:
+      - "**/*.md"
+      - "docs/**"
+
+# PRs share a concurrency group (cancel/serialize); Pushes use unique groups to avoid cancellation/queuing
+concurrency:
+  group: ${{ github.workflow }}-${{ (github.event_name == 'pull_request' && github.ref) || github.run_id }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
 permissions:
   contents: read
diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
index e7fdda3..71ed1ee 100644
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -3,6 +3,15 @@ on:
   pull_request:
     branches:
       - main
+    paths-ignore:
+      - "**/*.md"
+      - "docs/**"
+
+# PRs share a concurrency group (cancel/serialize); Pushes use unique groups to avoid cancellation/queuing
+concurrency:
+  group: ${{ github.workflow }}-${{ (github.event_name == 'pull_request' && github.ref) || github.run_id }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
 permissions:
   contents: read
   pull-requests: read
diff --git a/.github/workflows/pmg-e2e.yml b/.github/workflows/pmg-e2e.yml
index 1ae3624..624ed1f 100644
--- a/.github/workflows/pmg-e2e.yml
+++ b/.github/workflows/pmg-e2e.yml
@@ -4,11 +4,22 @@ on:
   pull_request:
     branches:
       - main
+    paths-ignore:
+      - "**/*.md"
+      - "docs/**"
   push:
     branches:
       - main
+    paths-ignore:
+      - "**/*.md"
+      - "docs/**"
   workflow_dispatch:
 
+# PRs share a concurrency group (cancel/serialize); Pushes use unique groups to avoid cancellation/queuing
+concurrency:
+  group: ${{ github.workflow }}-${{ (github.event_name == 'pull_request' && github.ref) || github.run_id }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
 permissions:
   contents: read
 
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 04182a9..3306fdd 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -10,9 +10,17 @@ on:
   # To guarantee Maintained check is occasionally updated. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
   schedule:
-    - cron: '35 22 * * 0'
+    - cron: "35 22 * * 0"
   push:
-    branches: [ "main" ]
+    branches: ["main"]
+    paths-ignore:
+      - "**/*.md"
+      - "docs/**"
+
+# PRs share a concurrency group (cancel/serialize); Pushes use unique groups to avoid cancellation/queuing
+concurrency:
+  group: ${{ github.workflow }}-${{ (github.event_name == 'pull_request' && github.ref) || github.run_id }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
 # Declare default permissions as read only.
 permissions: read-all
diff --git a/.github/workflows/secret_scan.yml b/.github/workflows/secret_scan.yml
index 09fb5f5..9380b80 100644
--- a/.github/workflows/secret_scan.yml
+++ b/.github/workflows/secret_scan.yml
@@ -4,6 +4,11 @@ on:
     branches:
       - main
 
+# PRs share a concurrency group (cancel/serialize); Pushes use unique groups to avoid cancellation/queuing
+concurrency:
+  group: ${{ github.workflow }}-${{ (github.event_name == 'pull_request' && github.ref) || github.run_id }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
 permissions:
   contents: read
 
diff --git a/.github/workflows/vet-ci.yml b/.github/workflows/vet-ci.yml
index 37e9eff..2324e20 100644
--- a/.github/workflows/vet-ci.yml
+++ b/.github/workflows/vet-ci.yml
@@ -2,9 +2,20 @@ name: vet OSS Components
 
 on:
   pull_request:
+    paths-ignore:
+      - "**/*.md"
+      - "docs/**"
   push:
     branches:
       - main
+    paths-ignore:
+      - "**/*.md"
+      - "docs/**"
+
+# PRs share a concurrency group (cancel/serialize); Pushes use unique groups to avoid cancellation/queuing
+concurrency:
+  group: ${{ github.workflow }}-${{ (github.event_name == 'pull_request' && github.ref) || github.run_id }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
 permissions:
   contents: read