Standardize CI: timeouts, concurrency, action versions, fail-fast

[silvertakana]

Summary

Several CI workflows lack timeout-minutes, risking runner-hungry stalls. Action versions are inconsistent across repos. Matrix jobs lack fail-fast: false. PR workflows don't use concurrency groups for automatic cancellation.

Background

From the CI/CD audit and research:

• GitHub's default timeout is 360 min — way too permissive
• docker/build-push-action varies between @v5, @v6, @v7 across repos
• Playwright matrix and node-matrix lack fail-fast: false
• PR workflows should cancel-in-progress to save runner minutes on re-pushes

Proposed Changes

1. Add timeout-minutes: 30 to every job across all CI workflows
2. Standardize action versions:
   • docker/build-push-action -> @v7
   • actions/checkout -> @v4
   • actions/setup-node -> @v4
   • actions/cache -> @v4
3. Add fail-fast: false to matrix jobs (Playwright, node-matrix)
4. Add concurrency groups to PR workflows:

   concurrency:
     group: ci-${{ github.ref }}
     cancel-in-progress: true

5. Add paths-ignore: ["*.md"] to workflows that don't have it

Acceptance Criteria

• Every job has timeout-minutes: 30
• Action versions consistent across all repos
• Matrix jobs don't cancel on single failure
• Re-pushes to a PR cancel previous in-progress runs
• Docs-only changes don't trigger CI