ci: paths-ignore + cancel-in-progress on CI + Coverage Floor

[topcoder1]

Summary

• Adds paths-ignore: ["**/*.md", "docs/**"] to both ci.yml and coverage-floor.yml so docs-only commits don't burn CI minutes
• Adds top-level concurrency: block to both workflows to cancel in-progress runs on PR updates (superseded pushes are wasted spend)
• No job/step logic touched — trigger config only

Mirrors topcoder1/webcrawl#221 as the proven fleet precedent. nanoclaw is the #6 fleet spender (~123 runs/wk); est ~$2–3/mo saved.

Auto-merge rationale: CI-only YAML change touching .github/workflows/** which is on the high-risk surface — defers to manual click-merge per claude-author-automerge.yml policy. No production code touched.

Preflight notes

• bb-preflight working-tree warning: pre-existing uncommitted source changes on main (stashed, not part of this PR — stash residue shows as untracked). The 2 changed files pass npx prettier --check cleanly.
• Prettier warning: 70 pre-existing files fail prettier in this repo; neither changed file is among them.

Test plan

• actionlint passes on both modified workflow files (no syntax errors in trigger config)
• On next PR to nanoclaw, both CI and Coverage Floor workflows fire correctly
• A docs-only PR (touching only .md files) skips both workflows
• A superseded push to a PR branch cancels the previous in-progress run
• Monitor weekly run count vs ~123 runs/wk baseline over next 2 weeks

🤖 Generated with Claude Code

[github-actions]

Auto-merge blocked — risk-tier paths touched.

This Claude-authored PR modifies files matching the risk-tier patterns
defined in the global CLAUDE.md policy (auth / secrets / migrations /
billing / production infra). Manual click-merge required, OR use one of
the bypass paths below.

Matched files:

.github/workflows/ci.yml (matched: ^\.github/workflows/.*)
.github/workflows/coverage-floor.yml (matched: ^\.github/workflows/.*)```

**Bypass options (no PR detail navigation needed):**

- Apply the `auto-merge-approved` label to this PR. The workflow will re-run on
  the label event and enable auto-merge. One click from the PR list page.
- Wait for the `review / Codex Review` status check to pass. If Codex Review is
  installed on this repo and it returns SUCCESS, the workflow auto-bypasses
  the risk gate on its next run (e.g. on push of a fixup commit).

If a path is misclassified, fix the regex in
`topcoder1/ci-workflows/.github/workflows/claude-author-automerge.yml`.

[github-actions]

Risk class: blocked — manual merge required.

This PR touches one of the blocked path categories from .github/risk-paths.yml (Dockerfiles, docker-compose, .github/workflows/**, **/.env*, **/secrets*, infra/, terraform/, k8s/, or the classifier config itself).

Auto-merge is refused by claude-author-automerge.yml. A maintainer should review the diff and click "Squash and merge" themselves.

(This is a policy notice, not a code-quality failure. The classify job itself does not fail — required CI checks remain authoritative for "is the code green.")

[github-actions]

Coverage Floor — mode: enforce

metric	value
measured	%
floor (current)	70.8%
target	80.0%
last bumped	2026-05-22

[claude]

No issues found. CI-only trigger config change — paths-ignore and concurrency logic are correct.