diff --git a/.github/workflows/address_undefined_behavior_leak_sanitizer.yml b/.github/workflows/address_undefined_behavior_leak_sanitizer.yml
index d96c95d4..6a2dfbb8 100644
--- a/.github/workflows/address_undefined_behavior_leak_sanitizer.yml
+++ b/.github/workflows/address_undefined_behavior_leak_sanitizer.yml
@@ -22,6 +22,9 @@ on:
   merge_group:
     types: [checks_requested]
   workflow_call:
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request'}}
 jobs:
     build_and_test_asan_ubsan_lsan:
       runs-on: ubuntu-24.04
diff --git a/.github/workflows/build_and_test_host.yml b/.github/workflows/build_and_test_host.yml
index 3568af9e..febf1c59 100644
--- a/.github/workflows/build_and_test_host.yml
+++ b/.github/workflows/build_and_test_host.yml
@@ -21,6 +21,9 @@ on:
   merge_group:
     types: [checks_requested]
   workflow_call:
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request'}}
 jobs:
     build_and_test_host:
       name: build_and_test_host${{ matrix.param.identifier }}
diff --git a/.github/workflows/build_and_test_qnx.yml b/.github/workflows/build_and_test_qnx.yml
index b6d03017..515e3f1f 100644
--- a/.github/workflows/build_and_test_qnx.yml
+++ b/.github/workflows/build_and_test_qnx.yml
@@ -17,7 +17,7 @@
 name: Bazel Build & Test communication module (target-platforms)
 on:
   pull_request_target:
-    types: [opened, reopened, synchronize]
+    types: [opened, reopened, synchronize, labeled, unlabeled]
   merge_group:
     types: [checks_requested]
   workflow_call:
@@ -29,35 +29,74 @@ on:
       SCORE_QNX_PASSWORD:
         required: true
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request_target'}}
+
 env:
   LICENSE_DIR: "/opt/score_qnx/license"
 jobs:
+    precheck:
+      runs-on: ubuntu-24.04
+      outputs:
+        should-run: ${{ steps.gate.outputs.should-run }}
+        require-approval: ${{ steps.gate.outputs.require-approval }}
+      permissions:
+        contents: read
+        pull-requests: read
+      steps:
+        - name: Evaluate QNX workflow gate
+          id: gate
+          env:
+            EVENT_NAME: ${{ github.event_name }}
+          run: |
+            python3 - <<'SCRIPT_END' >> "${GITHUB_OUTPUT}"
+            import json
+            import os
+
+            should_run = True
+            require_approval = False
+
+            with open(os.environ["GITHUB_EVENT_PATH"], encoding="utf-8") as event_file:
+                event = json.load(event_file)
+
+            pr = event.get("pull_request") or {}
+            head_repo = (((pr.get("head") or {}).get("repo") or {}).get("full_name") or "")
+            base_repo = (((pr.get("base") or {}).get("repo") or {}).get("full_name") or "")
+            labels = {label.get("name", "") for label in (pr.get("labels") or [])}
+
+            if os.environ["EVENT_NAME"] == "pull_request_target" and head_repo != base_repo:
+                if "test-qnx" in labels:
+                    require_approval = True
+                else:
+                    should_run = False
+
+            print(f"should-run={'true' if should_run else 'false'}")
+            print(f"require-approval={'true' if require_approval else 'false'}")
+            SCRIPT_END
+
+    approval:
+      needs: precheck
+      if: ${{ needs.precheck.outputs.require-approval == 'true' }}
+      environment: 'workflow-approval'
+      runs-on: ubuntu-24.04
+      permissions:
+        contents: read
+        pull-requests: read
+      steps:
+        - name: Blocking on approval
+          run: ''
+
     build_and_test_qnx:
-      name: build_and_test_qnx${{ matrix.identifier }}
-      strategy:
-        fail-fast: false
-        matrix:
-          bazel-config: ["qnx_x86_64", "qnx_arm64"]
-          include:
-            - bazel-config: "qnx_x86_64"
-              identifier: ""
-              incompatible_targets:
-                - "-//score/mw/com/requirements/..." # Uninvestigated problem
-                - "-//score/mw/com/performance_benchmarks/..." # Uninvestigated problem
-                - "-//score/mw/com/doc/..." # Uninvestigated problem
-                - "-//score/mw/com/design/..." # Uninvestigated problem
-            - bazel-config: "qnx_arm64"
-              identifier: "_arm64"
-              incompatible_targets:
-                - "-//score/mw/com/requirements/..." # Uninvestigated problem
-                - "-//score/mw/com/performance_benchmarks/..." # Uninvestigated problem
-                - "-//score/mw/com/doc/..." # Uninvestigated problem
-                - "-//score/mw/com/design/..." # Uninvestigated problem
+      name: build_and_test_qnx
+      needs:
+        - precheck
+        - approval
+      if: ${{ always() && needs.precheck.outputs.should-run == 'true' && (needs.approval.result == 'success' || needs.approval.result == 'skipped') }}
       runs-on: ubuntu-24.04
       permissions:
         contents: read
         pull-requests: read
-      environment: "workflow-approval"
       steps:
         - name: Checkout repository
           uses: actions/checkout@v4.2.2
@@ -70,13 +109,12 @@ jobs:
           uses: bazel-contrib/setup-bazel@0.18.0
           with:
             bazelisk-cache: true
-            disk-cache: build_and_test_qnx${{ matrix.identifier }}
+            disk-cache: build_and_test_qnx
             repository-cache: true
             cache-save: ${{ github.event_name == 'merge_group' }}
         - name: Allow linux-sandbox
           uses: ./actions/unblock_user_namespace_for_linux_sandbox
         - name: Setup QNX License
-          if: ${{ contains(matrix.bazel-config, 'qnx') }}
           env:
             SCORE_QNX_LICENSE: ${{ secrets.SCORE_QNX_LICENSE }}
           run: |
@@ -89,8 +127,8 @@ jobs:
             SCORE_QNX_USER: ${{ secrets.SCORE_QNX_USER }}
             SCORE_QNX_PASSWORD: ${{ secrets.SCORE_QNX_PASSWORD }}
           run: |
-            bazel build --config ${{ matrix.bazel-config }} -- //score/... ${{ join(matrix.incompatible_targets, ' ') }}
+            bazel build --config qnx_arm64 -- //score/... -//score/mw/com/requirements/... -//score/mw/com/performance_benchmarks/... -//score/mw/com/doc/... -//score/mw/com/design/...
         - name: Cleanup QNX License
-          if: ${{ contains(matrix.bazel-config, 'qnx') && !cancelled() }}
+          if: ${{ !cancelled() }}
           run: sudo rm -rf ${{ env.LICENSE_DIR }}
           # TODO Run tests on QNX QEMU
diff --git a/.github/workflows/coverage_report.yml b/.github/workflows/coverage_report.yml
index 7aef40cb..8b512f3b 100644
--- a/.github/workflows/coverage_report.yml
+++ b/.github/workflows/coverage_report.yml
@@ -26,6 +26,10 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request'}}
+
 jobs:
   coverage_report:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/thread_sanitizer.yml b/.github/workflows/thread_sanitizer.yml
index 72b682b2..1225bce9 100644
--- a/.github/workflows/thread_sanitizer.yml
+++ b/.github/workflows/thread_sanitizer.yml
@@ -21,6 +21,9 @@ on:
   merge_group:
     types: [checks_requested]
   workflow_call:
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request'}}
 jobs:
     build_and_test_tsan:
       runs-on: ubuntu-24.04