ci(deploy): serialize deploys against the shared Tokyo stack

Today an OtelCollector deploy on chore/e2e-required-merge-gate failed
with "ECS rolled back. PRIMARY=...:7 expected ...:6" — two parallel
Deploy App Services runs (push + dispatch on the same SHA) both
registered task definitions, and one's UpdateService rolled the other
back.

Add per-workflow concurrency groups against the shared Tokyo stack
to prevent the race. cancel-in-progress: false because a half-applied
ECS rolling update / EC2 userdata swap is worse than waiting.

- deploy-api.yml: group=deploy-api-shared
- deploy-app-services.yml: group=deploy-app-services-shared
- deploy-runner.yml: group=deploy-runner-shared
- _deploy-single-service.yml: group=deploy-single-service-<service_name>
  (parameterized so different services parallelize but same-service
  callers serialize — belt-and-suspenders against the outer group)

Author: G4614

.github/workflows/_deploy-single-service.yml

@@ -29,6 +29,14 @@ on:
         type: string
         required: true
 
+# Belt-and-suspenders against the outer-workflow concurrency: also
+# serialize per-service here, so any caller (deploy-app-services or
+# a future direct dispatch) racing on the same ECS service queues
+# instead of fighting over TD revisions. Different services parallelize.
+concurrency:
+  group: deploy-single-service-${{ inputs.service_name }}
+  cancel-in-progress: false
+
 permissions:
   contents: read
   id-token: write

.github/workflows/deploy-api.yml

@@ -64,6 +64,15 @@ on:
       - 'apps/api-client-go/**'
       - '.github/workflows/deploy-api.yml'
 
+# Serialize against the shared Tokyo ECS service. Concurrent Api
+# deploys race for task-definition revision numbers and one's
+# UpdateService rolls back the other (see #724 OtelCollector race).
+# cancel-in-progress: false because a half-applied ECS rolling update
+# is worse than waiting.
+concurrency:
+  group: deploy-api-shared
+  cancel-in-progress: false
+
 permissions:
   contents: read
 

.github/workflows/deploy-app-services.yml

@@ -40,6 +40,16 @@ on:
       - 'apps/ssh-gateway/**'
       - '.github/workflows/deploy-app-services.yml'
 
+# Serialize against the shared Tokyo ECS services. Concurrent
+# Proxy/OtelCollector/SshGateway deploys race for task-definition
+# revisions — observed live: two parallel runs both registered TDs,
+# one's UpdateService rolled the other back with "ECS rolled back.
+# PRIMARY=...:7 expected ...:6". cancel-in-progress: false because a
+# half-applied rolling update is worse than waiting.
+concurrency:
+  group: deploy-app-services-shared
+  cancel-in-progress: false
+
 permissions:
   contents: read
 

.github/workflows/deploy-runner.yml

@@ -67,6 +67,15 @@ on:
       - '.github/workflows/build-c.yml'
       - '.github/workflows/build-runner-binary.yml'
 
+# Serialize against the shared Tokyo runner binary in S3 + EC2 user
+# data. Concurrent runner deploys race on the same artifact path and
+# the same userdata-poll loop on the EC2 host. cancel-in-progress:
+# false because killing a deploy mid-rollout leaves the EC2 host on
+# an unknown binary.
+concurrency:
+  group: deploy-runner-shared
+  cancel-in-progress: false
+
 permissions:
   contents: read