diff --git a/.github/workflows/PrepareNextIteration.yml b/.github/workflows/PrepareNextIteration.yml
index 34a8a54f8a..74a1c6070a 100644
--- a/.github/workflows/PrepareNextIteration.yml
+++ b/.github/workflows/PrepareNextIteration.yml
@@ -11,6 +11,7 @@ jobs:
   Next-Iteration-Job:
     name: Next Iteration Job
     runs-on: github-ubuntu-latest-s
+    timeout-minutes: 15
     permissions:
       pull-requests: write
       contents: write
diff --git a/.github/workflows/PullRequestClosed.yml b/.github/workflows/PullRequestClosed.yml
index a020047260..52f62836d3 100644
--- a/.github/workflows/PullRequestClosed.yml
+++ b/.github/workflows/PullRequestClosed.yml
@@ -4,10 +4,15 @@ on:
   pull_request:
     types: [closed]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
   PullRequestMerged_job:
     name: Pull Request Merged
     runs-on: github-ubuntu-latest-s
+    timeout-minutes: 15
     permissions:
       id-token: write
       pull-requests: read
diff --git a/.github/workflows/PullRequestCreated.yml b/.github/workflows/PullRequestCreated.yml
index 32fbe0c566..474f3a7a2c 100644
--- a/.github/workflows/PullRequestCreated.yml
+++ b/.github/workflows/PullRequestCreated.yml
@@ -4,10 +4,15 @@ on:
   pull_request:
     types: ["opened"]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
   PullRequestCreated_job:
     name: Pull Request Created
     runs-on: github-ubuntu-latest-s
+    timeout-minutes: 15
     permissions:
       id-token: write
     # For external PR, ticket should be created manually
diff --git a/.github/workflows/ReleasabilityCheck.yml b/.github/workflows/ReleasabilityCheck.yml
index a910e4d9db..0376d7616e 100644
--- a/.github/workflows/ReleasabilityCheck.yml
+++ b/.github/workflows/ReleasabilityCheck.yml
@@ -15,6 +15,7 @@ jobs:
   releasability-status:
     name: Releasability status
     runs-on: github-ubuntu-latest-s
+    timeout-minutes: 30
     permissions:
       id-token: write
       statuses: write
diff --git a/.github/workflows/RequestReview.yml b/.github/workflows/RequestReview.yml
index eb1425d408..42ce2fa812 100644
--- a/.github/workflows/RequestReview.yml
+++ b/.github/workflows/RequestReview.yml
@@ -4,10 +4,15 @@ on:
   pull_request:
     types: ["review_requested"]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
   RequestReview_job:
     name: Request review
     runs-on: github-ubuntu-latest-s
+    timeout-minutes: 15
     permissions:
       id-token: write
     # For external PR, ticket should be moved manually
diff --git a/.github/workflows/SubmitReview.yml b/.github/workflows/SubmitReview.yml
index d5b18a7edb..5be399bd11 100644
--- a/.github/workflows/SubmitReview.yml
+++ b/.github/workflows/SubmitReview.yml
@@ -8,6 +8,7 @@ jobs:
   SubmitReview_job:
     name: Submit Review
     runs-on: github-ubuntu-latest-s
+    timeout-minutes: 15
     permissions:
       id-token: write
       pull-requests: read
diff --git a/.github/workflows/ToggleLockBranch.yml b/.github/workflows/ToggleLockBranch.yml
index 6da9ebb9a5..21e2647965 100644
--- a/.github/workflows/ToggleLockBranch.yml
+++ b/.github/workflows/ToggleLockBranch.yml
@@ -7,6 +7,7 @@ jobs:
   ToggleLockBranch_job:
     name: Toggle lock branch
     runs-on: github-ubuntu-latest-s
+    timeout-minutes: 15
     permissions:
       id-token: write
     steps:
diff --git a/.github/workflows/UpdateRuleMetadata.yml b/.github/workflows/UpdateRuleMetadata.yml
index 886199d861..2e083a35d1 100644
--- a/.github/workflows/UpdateRuleMetadata.yml
+++ b/.github/workflows/UpdateRuleMetadata.yml
@@ -5,6 +5,7 @@ on: workflow_dispatch
 jobs:
   rule-metadata-update:
     runs-on: github-ubuntu-latest-s
+    timeout-minutes: 15
     permissions:
       id-token: write
       contents: write
diff --git a/.github/workflows/automated-release.yml b/.github/workflows/automated-release.yml
index 37e50ff333..9e27a8e17c 100644
--- a/.github/workflows/automated-release.yml
+++ b/.github/workflows/automated-release.yml
@@ -43,6 +43,7 @@ on:
 jobs:
   release:
     name: Release
+    timeout-minutes: 60
     uses: SonarSource/release-github-actions/.github/workflows/automated-release.yml@v1
     permissions:
       statuses: read
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 45a9563455..9ea8b13a28 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -22,6 +22,7 @@ jobs:
   build:
     runs-on: github-ubuntu-latest-m  # Public repo uses custom GitHub-hosted runner
     name: Build
+    timeout-minutes: 60
     permissions:
       id-token: write  # Required for Vault OIDC authentication
       contents: write  # Required for repository access and tagging
@@ -64,6 +65,7 @@ jobs:
       - build
     if: ${{ needs.build.outputs.deployed }}
     runs-on: ${{ matrix.item.runner }}
+    timeout-minutes: 60
     permissions:
       id-token: write
       contents: write
@@ -121,6 +123,7 @@ jobs:
       - build
     if: ${{ needs.build.outputs.deployed }}
     runs-on: github-ubuntu-latest-m
+    timeout-minutes: 60
     permissions:
       id-token: write
       contents: write
@@ -160,6 +163,7 @@ jobs:
       - build
     if: ${{ needs.build.outputs.deployed }}
     runs-on: github-ubuntu-latest-m
+    timeout-minutes: 60
     permissions:
       id-token: write
       contents: write
@@ -202,6 +206,7 @@ jobs:
       - build
     if: ${{ needs.build.outputs.deployed }}
     runs-on: github-ubuntu-latest-l
+    timeout-minutes: 60
     permissions:
       id-token: write
       contents: write
@@ -237,6 +242,7 @@ jobs:
       - build
     if: ${{ needs.build.outputs.deployed }}
     runs-on: github-ubuntu-latest-m
+    timeout-minutes: 60
     permissions:
       id-token: write
       contents: write
@@ -284,6 +290,7 @@ jobs:
       - build
     if: ${{ needs.build.outputs.deployed }}
     runs-on: github-ubuntu-latest-m
+    timeout-minutes: 60
     permissions:
       id-token: write
       contents: write
@@ -344,6 +351,7 @@ jobs:
     name: Build and Unit Test on Windows
     # No dependency on build step, because we do not need the build number.
     runs-on: github-windows-latest-m
+    timeout-minutes: 60
     permissions:
       id-token: write  # Required for Vault OIDC authentication
       contents: write  # Required for repository access and tagging
@@ -376,6 +384,7 @@ jobs:
     if: ${{ needs.build.outputs.deployed }}
     runs-on: github-ubuntu-latest-s  # Public repo uses custom GitHub-hosted runners
     name: Promote
+    timeout-minutes: 15
     permissions:
       id-token: write
       contents: write
diff --git a/.github/workflows/dogfood.yml b/.github/workflows/dogfood.yml
index 00c7d1d515..950a05495b 100644
--- a/.github/workflows/dogfood.yml
+++ b/.github/workflows/dogfood.yml
@@ -14,6 +14,7 @@ jobs:
   dogfood_merge:
     runs-on: github-ubuntu-latest-s
     name: Update dogfood branch
+    timeout-minutes: 15
     permissions:
       id-token: write # required for SonarSource/vault-action-wrapper
     steps:
diff --git a/.github/workflows/mark-prs-stale.yml b/.github/workflows/mark-prs-stale.yml
index 12c46e4082..0709fb3bb5 100644
--- a/.github/workflows/mark-prs-stale.yml
+++ b/.github/workflows/mark-prs-stale.yml
@@ -7,6 +7,7 @@ on:
 jobs:
   stale:
     runs-on: github-ubuntu-latest-s
+    timeout-minutes: 15
     permissions:
       issues: write
       pull-requests: write
diff --git a/.github/workflows/pr-cleanup.yml b/.github/workflows/pr-cleanup.yml
index 4b1e8286fb..a41b17ead5 100644
--- a/.github/workflows/pr-cleanup.yml
+++ b/.github/workflows/pr-cleanup.yml
@@ -3,9 +3,14 @@ on:
   pull_request:
     types: [closed]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
   cleanup:
     runs-on: github-ubuntu-latest-s  # Public repo
+    timeout-minutes: 15
     permissions:
       actions: write
     steps:
diff --git a/.github/workflows/releasability.yaml b/.github/workflows/releasability.yaml
index 4999f62058..ed81b23bc9 100644
--- a/.github/workflows/releasability.yaml
+++ b/.github/workflows/releasability.yaml
@@ -12,6 +12,7 @@ jobs:
   releasability-job:
     name: Releasability check
     runs-on: github-ubuntu-latest-s
+    timeout-minutes: 30
     permissions:
       id-token: write      # required by SonarSource/vault-action-wrapper
       contents: read       # required by checkout
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 52aa22101e..7b37e2918e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -26,6 +26,7 @@ jobs:
     permissions:
       id-token: write
       contents: write
+    timeout-minutes: 60
     uses: SonarSource/gh-action_release/.github/workflows/main.yaml@v6
     with:
       publishToBinaries: true
diff --git a/.github/workflows/slack_notify.yml b/.github/workflows/slack_notify.yml
index 505cf90b51..527885e3a3 100644
--- a/.github/workflows/slack_notify.yml
+++ b/.github/workflows/slack_notify.yml
@@ -15,6 +15,7 @@ jobs:
     if: >-
       contains(fromJSON('["main", "master"]'), github.event.check_suite.head_branch) || startsWith(github.event.check_suite.head_branch, 'dogfood-') || startsWith(github.event.check_suite.head_branch, 'branch-')
     runs-on: github-ubuntu-latest-s
+    timeout-minutes: 15
     steps:
       - name: Send Slack Notification
         env:
diff --git a/.github/workflows/unified-dogfooding.yml b/.github/workflows/unified-dogfooding.yml
index 2bfae282ee..ec27f0b2b7 100644
--- a/.github/workflows/unified-dogfooding.yml
+++ b/.github/workflows/unified-dogfooding.yml
@@ -7,6 +7,7 @@ on:
 jobs:
   unified-platform-dogfooding:
     runs-on: github-ubuntu-latest-l
+    timeout-minutes: 60
     name: Unified Platform Dogfooding
     permissions:
       id-token: write