chore: standardize Blacksmith runner, concurrency + job timeouts

[ivndev001]

What

Adds timeout-minutes to all 14 jobs across the 4 workflows and a hard cancel-in-progress: false concurrency block to the 3 publish workflows. ci.yml's existing concurrency and the publish-test 4vcpu runner are unchanged. Appends the org CI-standard note to CLAUDE.md.

Why

Part of the org-wide Actions hygiene sweep (developerz-ai/infrastructure#300, motivated by wurk run 27345104330 hanging 24 min without a job timeout). PyPI publishes are irreversible — the publishers must never auto-cancel mid-flight; timeouts are sized to catch a hang, not bound runtime.

Changes

• ci.yml: lint 10; test-unit/test-integration/test-property/coverage/build/cli-test 15. Concurrency UNCHANGED (cancel:true stays — pure CI).
• docker-publish.yml: build-and-push 30 + new concurrency block (group: ${{ github.workflow }}-${{ github.ref }}, cancel-in-progress: false) — tag image + provenance attestation.
• publish-test.yml: build-and-publish 30 + same hard-false block; blacksmith-4vcpu runner kept (deliberate).
• publish.yml: verify 10, test 15, build 30, create-release 30, publish-pypi 30 + same hard-false block.
• CLAUDE.md: trailing ## CI standard section appended.

Note: the planning spec referred to the docker-publish.yml job as build-and-publish; the actual job id is build-and-push (the workflow's only job, matching the spec's description) — applied there.

Verification

• actionlint 1.7.12 on all 4 changed workflows: zero findings on any touched line. 24 pre-existing shellcheck findings (SC2086 x23, SC2129 x1) live inside untouched run: script blocks; linting the HEAD blobs gives identical per-file counts (ci 3, docker-publish 19, publish-test 1, publish 1), so none were introduced here.
• Diff is purely additive (30 insertions, 0 deletions) — ci.yml's concurrency block and every runs-on line have no hunk.
• This PR's own CI run is the live parse proof.
• Concurrency cancel-in-progress semantics not runtime-verified (documented expression).
• Render-check/live test: N/A — CI-config only.

Closes developerz-ai/infrastructure#309

Summary by CodeRabbit

Release Notes

• Chores

  • Enhanced CI/build workflow reliability with timeout limits on all jobs to prevent hanging runs.
  • Added concurrency policies to prevent multiple simultaneous workflow runs.

• Documentation

  • Added CI standards documentation outlining execution expectations and best practices.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 38d79123-67a6-4ef2-a829-bf812847ad74

📥 Commits

Reviewing files that changed from the base of the PR and between 7673562 and e120d33.

📒 Files selected for processing (5)

• .github/workflows/ci.yml
• .github/workflows/docker-publish.yml
• .github/workflows/publish-test.yml
• .github/workflows/publish.yml
• CLAUDE.md

---

📝 Walkthrough

Walkthrough

GitHub Actions workflows across this repository are updated to enforce execution safety: seven CI jobs receive explicit timeout limits, and three publish-related workflows (docker-publish, publish-test, publish) add concurrency controls with timeouts to prevent concurrent publishes. CLAUDE.md documents these CI standards.

Changes

CI and publish workflow configuration

Layer / File(s)	Summary
CI job timeout limits .github/workflows/ci.yml	Seven CI jobs (lint, test-unit, test-integration, test-property, coverage, build, cli-test) each receive explicit timeout-minutes values (10 for lint, 15 for others) to prevent runaway test and build executions.
Publish workflow concurrency and timeouts .github/workflows/docker-publish.yml, .github/workflows/publish-test.yml, .github/workflows/publish.yml	Three publish workflows each add a workflow-level concurrency block grouping runs by workflow name and git ref with cancel-in-progress: false, and job-level timeout-minutes (30 for long-running build/publish jobs, 10–15 for verification/testing jobs) to ensure no concurrent publish operations and bounded execution time.
CI standards documentation CLAUDE.md	New "CI standard" section documents that all workflows and jobs must define concurrency (with cancel-in-progress) and timeout-minutes, and that publish-related workflows must never allow in-progress cancellation because publishes are irreversible.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related issues

• #309: Identical changes across workflows to add job timeouts and publish concurrency blocks, plus CLAUDE.md CI standard note, directly implementing this task.
• #300: Related parent issue covering workflow configuration hygiene and timeouts.
• #307: Related CI workflow update task with timeout and documentation changes.

Possibly related PRs

• developerz-ai/claude-task-master#40: Overlapping changes to .github/workflows/publish.yml for PyPI release configuration including concurrency and timeout settings.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Title clearly summarizes the main change: standardizing Blacksmith runner configuration with concurrency and job timeout additions across CI workflows.
Linked Issues check	✅ Passed	All acceptance criteria from issue #309 are met: timeouts added to 14 jobs, concurrency with cancel-in-progress: false added to publish workflows, ci.yml concurrency unchanged, 4vcpu runner retained, CLAUDE.md note added.
Out of Scope Changes check	✅ Passed	All changes are strictly scoped to the requirements in issue #309: timeout configurations, concurrency blocks, and documentation update. No unrelated modifications present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/actions-hygiene

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ivndev001]

@CodeRabbit full review

[coderabbitai]

✅ Action performed

Full review finished.

[ivndev001]

@CodeRabbit full review

[coderabbitai]

✅ Action performed

Full review finished.

[ivndev001]

@coderabbitai full review

[coderabbitai]

✅ Action performed

Full review finished.

[ivndev001]

@coderabbitai full review

[coderabbitai]

✅ Action performed

Full review finished.

[ivndev001]

Post-merge live test: PASS - 2026-06-12. CI run on merge commit 1071712 completed green on main (all 7 jobs with the new timeout-minutes). The 3 publish workflows are tag-triggered and unexercised here - their hard cancel-in-progress: false blocks take effect on the next release tag; semantics documented in the PR body, actionlint-verified pre-merge.