Add concurrency, timeouts, and least-privilege permissions to all workflows

[Copilot]

GitHub Actions workflows were missing concurrency controls, job timeouts, and permissions blocks — leaving them exposed to runaway billing and redundant parallel runs.

Changes

• permissions — Added minimal scoped permissions to the three workflows that had none (blackroad-agents.yml, deploy.yml, trinity-compliance.yml); existing workflows were already scoped
• concurrency groups — Added to all five workflows to auto-cancel superseded runs on the same ref/issue/PR; cancel-in-progress: false on auto-merge to avoid interrupting an in-flight merge
• timeout-minutes — Added per-job caps to bound worst-case cost: 15 min for agent/merge/compliance jobs, 20 min for deploy, 60 min for CodeQL

All jobs already use ubuntu-latest, which is free for public repositories.

permissions:
  contents: read

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  deploy:
    runs-on: ubuntu-latest
    timeout-minutes: 20

Original prompt

Please set up jobs for workflows and with $0 billing

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.