diff --git a/.github/workflows/angular.yml b/.github/workflows/angular.yml
index cd48c0448a..841a0d944d 100644
--- a/.github/workflows/angular.yml
+++ b/.github/workflows/angular.yml
@@ -15,6 +15,11 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
index 8b66f691dc..e2033cf1c3 100644
--- a/.github/workflows/build-and-test.yml
+++ b/.github/workflows/build-and-test.yml
@@ -23,6 +23,7 @@ on:
   pull_request:
     branches:
       - dev
+      - 'rel-*'
     paths:
       - 'framework/**/*.cs'
       - 'framework/**/*.cshtml'
@@ -51,6 +52,7 @@ concurrency:
 
 permissions:
   contents: read
+  id-token: write
 
 jobs:
   build-test:
@@ -58,7 +60,7 @@ jobs:
     timeout-minutes: 50
     if: ${{ !github.event.pull_request.draft }}
     steps:
-    - uses: jlumbroso/free-disk-space@v1
+    - uses: jlumbroso/free-disk-space@v1.3.1
     - uses: actions/checkout@v4
     - uses: actions/setup-dotnet@v4
       with:
@@ -81,7 +83,8 @@ jobs:
       shell: pwsh
 
     - name: Codecov
+      if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
       uses: codecov/codecov-action@v5
       with:
-        token: ${{ secrets.CODECOV_TOKEN }}
+        use_oidc: true
         fail_ci_if_error: true
diff --git a/.github/workflows/cancel-workflow.yml b/.github/workflows/cancel-workflow.yml
index 1ed3a3bc4b..4d868f6b85 100644
--- a/.github/workflows/cancel-workflow.yml
+++ b/.github/workflows/cancel-workflow.yml
@@ -1,6 +1,6 @@
 # This workflow is intentionally disabled.
-# Cancellation of redundant runs is now handled natively via the `concurrency`
-# block defined in each individual workflow (e.g. build-and-test.yml).
+# The workflows that previously depended on this file now handle cancellation
+# natively via per-workflow `concurrency` blocks.
 # The styfle/cancel-workflow-action has been archived upstream and is no longer maintained.
 #
 # To re-enable manual cancellation, change `on: workflow_dispatch` back to `on: [push]`
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index d1f6c0c503..16e0443f08 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -29,6 +29,10 @@ on:
       - reopened
       - ready_for_review
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
diff --git a/.github/workflows/image-compression.yml b/.github/workflows/image-compression.yml
index 9eef6db59b..ed4111cdd3 100644
--- a/.github/workflows/image-compression.yml
+++ b/.github/workflows/image-compression.yml
@@ -12,6 +12,11 @@ on:
       - synchronize
       - reopened
       - ready_for_review
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   build:
     if: github.event.pull_request.head.repo.full_name == github.repository && !github.event.pull_request.draft
@@ -23,5 +28,3 @@ jobs:
 
       - name: Compress Images
         uses: calibreapp/image-actions@main
-        with:
-          githubToken: ${{ secrets.GITHUB_TOKEN }}