diff --git a/.github/workflows/giteabot.yml b/.github/workflows/giteabot.yml
index 4c9cd03e89..3c4456666e 100644
--- a/.github/workflows/giteabot.yml
+++ b/.github/workflows/giteabot.yml
@@ -28,12 +28,19 @@ permissions:
   pull-requests: write
   statuses: write
 
+concurrency:
+  group: ${{ format('{0}-{1}', github.workflow, (github.event_name == 'pull_request_target' || github.event_name == 'pull_request_review') && format('pr-{0}', github.event.pull_request.number) || 'maintenance') }}
+  cancel-in-progress: false
+
 jobs:
   giteabot:
+    name: Run Giteabot (${{ github.event_name }})
     runs-on: ubuntu-latest
+    timeout-minutes: 30
     steps:
       - name: Run Giteabot
-        uses: go-gitea/giteabot@v1
+        # pull_request_target runs with a write token, so keep this pinned and do not check out PR HEAD here.
+        uses: go-gitea/giteabot@761f9199f71c68ce2c76decf3dcf7ee76ca664ed # v1 branch @ 2026-04-25
         with:
           github_token: ${{ secrets.GITEABOT_TOKEN }}
           gitea_fork: giteabot/gitea