diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 84b5730..b7fb7fe 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -8,10 +8,19 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+env:
+  # cargo's available_parallelism() reads the node's 32 threads, not the pod's
+  # cgroup CPU quota, so a cold (cache-miss) build fans out ~22-way and can
+  # OOM-kill the linker in the 5Gi cachekit runner — the same failure that hit
+  # cachekit-rs (#25/#26). Cap parallel jobs so peak RSS stays under the cap.
+  CARGO_BUILD_JOBS: "4"
+
 jobs:
   test:
     name: ${{ matrix.rust }} / ${{ matrix.os }}
     runs-on: ${{ matrix.runner }}
+    # Fail fast instead of hanging ~10min to GitHub's heartbeat if a runner wedges.
+    timeout-minutes: 20
     continue-on-error: ${{ matrix.rust == 'beta' }}
     strategy:
       fail-fast: false
@@ -68,6 +77,7 @@ jobs:
 
   security:
     runs-on: cachekit
+    timeout-minutes: 20
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 6ac6a19..e0b0837 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -13,10 +13,17 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+env:
+  # cargo's available_parallelism() reads the node's 32 threads, not the pod's
+  # cgroup CPU quota, so the cold release build below can OOM-kill the linker in
+  # the 5Gi cachekit runner (cachekit-rs #25/#26). Cap parallel jobs to fit.
+  CARGO_BUILD_JOBS: "4"
+
 jobs:
   analyze:
     name: Analyze
     runs-on: cachekit
+    timeout-minutes: 30
     permissions:
       actions: read
       contents: read
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 6bdd914..314848e 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -37,6 +37,11 @@ concurrency:
 env:
   CARGO_TERM_COLOR: always
   RUST_BACKTRACE: 1
+  # Cap cargo parallelism so cold builds (incl. ASAN fuzz-target builds) don't
+  # OOM-kill the linker in the 5Gi cachekit runner — see cachekit-rs #25/#26.
+  # NOTE: -j bounds parallel codegen, not ASAN's absolute footprint; it's a
+  # strong mitigation for the fuzz builds, a full fix for normal cargo builds.
+  CARGO_BUILD_JOBS: "4"
 
 jobs:
   fast-security: