fix: Fuzzy matching fallback + CI/CD pipeline consolidation

.github/workflows/coverage.yml

@@ -3,9 +3,15 @@ name: Coverage Analysis
 
 "on":
   push:
+    branches: [master]
   pull_request:
+    branches: [master]
   workflow_dispatch:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
@@ -44,7 +50,7 @@ jobs:
             --cov-report=html \
             --cov-report=term-missing \
             --cov-branch \
-            --cov-fail-under=15 \
+            --cov-fail-under=50 \
             --timeout=$TIMEOUT \
             --timeout-method=thread \
             --maxfail=10 \
@@ -70,7 +76,7 @@ jobs:
                 --cov-report=html \
                 --cov-report=term-missing \
                 --cov-branch \
-                --cov-fail-under=15 \
+                --cov-fail-under=50 \
                 --timeout=$TIMEOUT \
                 --timeout-method=thread \
                 --maxfail=10 \
@@ -97,6 +103,7 @@ jobs:
         with:
           name: coverage-html-report
           path: htmlcov/
+          retention-days: 14
 
       - name: Coverage summary
         run: |

.github/workflows/dependabot-auto-merge.yml

@@ -17,7 +17,7 @@ jobs:
     steps:
       - name: Dependabot metadata
         id: metadata
-        uses: dependabot/fetch-metadata@v2.5.0
+        uses: dependabot/fetch-metadata@v2
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
 
@@ -56,34 +56,44 @@ jobs:
     steps:
       - name: Dependabot metadata
         id: metadata
-        uses: dependabot/fetch-metadata@v2.5.0
+        uses: dependabot/fetch-metadata@v2
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
 
-      - name: Wait for CI checks
-        uses: fountainhead/action-wait-for-check@v1.2.0
-        id: wait-for-ci
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          checkName: "ci"
-          ref: ${{ github.event.pull_request.head.sha }}
-          timeoutSeconds: 1800
-          intervalSeconds: 30
+      - name: Wait for CI checks to complete
+        run: |
+          echo "Waiting for required checks to pass..."
+          MAX_ATTEMPTS=60
+          SLEEP_SECONDS=30
 
-      - name: Wait for security checks
-        uses: fountainhead/action-wait-for-check@v1.2.0
-        id: wait-for-security
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          checkName: "security"
-          ref: ${{ github.event.pull_request.head.sha }}
-          timeoutSeconds: 900
-          intervalSeconds: 30
+          for i in $(seq 1 "$MAX_ATTEMPTS"); do
+            # gh pr checks exits non-zero if any check failed
+            if gh pr checks "$PR_URL" --watch --fail-fast 2>/dev/null; then
+              echo "All checks passed!"
+              break
+            fi
+
+            EXIT_CODE=$?
+            # Exit code 1 = checks failed, don't retry
+            if [ "$EXIT_CODE" -eq 1 ]; then
+              echo "::error::Some checks failed — aborting auto-merge"
+              gh pr checks "$PR_URL" 2>&1 || true
+              exit 1
+            fi
+
+            # Other exit codes (e.g. checks not yet created) — wait and retry
+            if [ "$i" -eq "$MAX_ATTEMPTS" ]; then
+              echo "::error::Timed out waiting for checks after $((MAX_ATTEMPTS * SLEEP_SECONDS))s"
+              exit 1
+            fi
+            echo "Checks not yet available (attempt $i/$MAX_ATTEMPTS), retrying in ${SLEEP_SECONDS}s..."
+            sleep "$SLEEP_SECONDS"
+          done
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Auto-merge security updates
-        if: |
-          steps.wait-for-ci.outputs.conclusion == 'success' &&
-          steps.wait-for-security.outputs.conclusion == 'success'
         run: |
           echo "Auto-merging Dependabot security update after CI passes"
           gh pr merge --auto --squash "$PR_URL"
@@ -99,8 +109,8 @@ jobs:
     steps:
       - name: Notify on failure
         run: |
-          echo "Dependabot auto-merge failed. Manual review required."
-          gh pr comment "$PR_URL" --body "🤖 Dependabot auto-merge failed. Please review this PR manually."
+          echo "::warning::Dependabot auto-merge failed. Manual review required."
+          gh pr comment "$PR_URL" --body "🤖 Dependabot auto-merge failed. Please review this PR manually." || true
         env:
           PR_URL: ${{ github.event.pull_request.html_url }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/lint.yml

@@ -3,9 +3,15 @@ name: Code Linting and Formatting
 
 "on":
   push:
+    branches: [master]
   pull_request:
+    branches: [master]
   workflow_dispatch:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
@@ -56,3 +62,4 @@ jobs:
           name: lint-reports
           path: |
             mypy-report.xml
+          retention-days: 14

.github/workflows/performance.yml

@@ -3,7 +3,9 @@ name: Performance Testing
 
 "on":
   pull_request:
+    branches: [master]
   push:
+    branches: [master]
   schedule:
     # Run performance tests weekly on Sunday at 23:00 UTC
     - cron: "0 23 * * 0"
@@ -21,6 +23,10 @@ name: Performance Testing
           - outdated
           - all
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
@@ -90,6 +96,7 @@ jobs:
         with:
           name: performance-results-${{ matrix.os }}
           path: performance_results.json
+          retention-days: 30
 
       - name: Compare with previous results (if available)
         run: |