diff --git a/.github/workflows/abidiff.yml b/.github/workflows/abidiff.yml
index 68af3272b1..8459d5b0de 100644
--- a/.github/workflows/abidiff.yml
+++ b/.github/workflows/abidiff.yml
@@ -5,7 +5,7 @@ on:
   pull_request:
     branches: [ '*' ]
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  group: ${{ github.workflow }}-${{ github.ref_name }}
   cancel-in-progress: true
 env:
   DOCKER_BUILDKIT: 1
diff --git a/.github/workflows/actions-ci.yml b/.github/workflows/actions-ci.yml
index 95aa79c101..e8a4d96868 100644
--- a/.github/workflows/actions-ci.yml
+++ b/.github/workflows/actions-ci.yml
@@ -5,7 +5,7 @@ on:
   pull_request:
     branches: [ '*' ]
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  group: ${{ github.workflow }}-${{ github.ref_name }}
   cancel-in-progress: true
 env:
   GOPROXY: https://proxy.golang.org,direct
@@ -34,6 +34,7 @@ jobs:
     needs: [sanity-test-run]
     runs-on: ${{ matrix.os }}
     strategy:
+      fail-fast: false
       matrix:
         os:
           - "macos-14-large"
@@ -53,6 +54,7 @@ jobs:
     needs: [sanity-test-run]
     runs-on: ${{ matrix.os }}
     strategy:
+      fail-fast: false
       matrix:
         os:
           - "macos-14-large"
@@ -72,6 +74,7 @@ jobs:
     needs: [sanity-test-run]
     runs-on: ${{ matrix.os }}
     strategy:
+      fail-fast: false
       matrix:
         os:
           - "macos-14-xlarge"
@@ -90,6 +93,7 @@ jobs:
     needs: [sanity-test-run]
     runs-on: ${{ matrix.os }}
     strategy:
+      fail-fast: false
       matrix:
         os:
           - "macos-14-xlarge"
@@ -168,6 +172,7 @@ jobs:
     if: github.repository_owner == 'aws'
     needs: [sanity-test-run]
     strategy:
+      fail-fast: false
       matrix:
         gccversion:
           - "9"
@@ -202,6 +207,7 @@ jobs:
     if: github.repository_owner == 'aws'
     needs: [sanity-test-run]
     strategy:
+      fail-fast: false
       matrix:
         gccversion:
           - "13"
@@ -234,6 +240,7 @@ jobs:
     if: github.repository_owner == 'aws'
     needs: [sanity-test-run]
     strategy:
+      fail-fast: false
       matrix:
         gccversion:
           - "10"
diff --git a/.github/workflows/aws-lc-rs.yml b/.github/workflows/aws-lc-rs.yml
index 5d91d0dedc..ac68f8df2a 100644
--- a/.github/workflows/aws-lc-rs.yml
+++ b/.github/workflows/aws-lc-rs.yml
@@ -5,7 +5,7 @@ on:
   pull_request:
     branches: [ '*' ]
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  group: ${{ github.workflow }}-${{ github.ref_name }}
   cancel-in-progress: true
 env:
   GOPROXY: https://proxy.golang.org,direct
diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml
index 5ab96862f3..10a108aa4b 100644
--- a/.github/workflows/cmake.yml
+++ b/.github/workflows/cmake.yml
@@ -5,7 +5,7 @@ on:
   pull_request:
     branches: [ '*' ]
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  group: ${{ github.workflow }}-${{ github.ref_name }}
   cancel-in-progress: true
 env:
   DOCKER_BUILDKIT: 1
@@ -15,6 +15,7 @@ jobs:
     if: github.repository_owner == 'aws'
     name: CMake ${{ matrix.cmake.version}} build with ${{ matrix.generator}} FIPS=${{ matrix.fips }}
     strategy:
+      fail-fast: false
       matrix:
         cmake:
           - { version: "3.2", url: "https://cmake.org/files/v3.2/cmake-3.2.3.tar.gz", hash: "a1ebcaf6d288eb4c966714ea457e3b9677cdfde78820d0f088712d7320850297" }
diff --git a/.github/workflows/codecov-ci.yml b/.github/workflows/codecov-ci.yml
index d9fb2e9419..08dd6afa5b 100644
--- a/.github/workflows/codecov-ci.yml
+++ b/.github/workflows/codecov-ci.yml
@@ -5,7 +5,7 @@ on:
   pull_request:
     branches: [ '*' ]
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  group: ${{ github.workflow }}-${{ github.ref_name }}
   cancel-in-progress: true
 jobs:
   codecov-ci:
diff --git a/.github/workflows/cross-test.yml b/.github/workflows/cross-test.yml
index 15ff4371d4..dc48877e80 100644
--- a/.github/workflows/cross-test.yml
+++ b/.github/workflows/cross-test.yml
@@ -5,7 +5,7 @@ on:
   pull_request:
     branches: [ '*' ]
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  group: ${{ github.workflow }}-${{ github.ref_name }}
   cancel-in-progress: true
 jobs:
   ppc64-build-test:
diff --git a/.github/workflows/integrations.yml b/.github/workflows/integrations.yml
index 17aabcb66c..1d6fd570d5 100644
--- a/.github/workflows/integrations.yml
+++ b/.github/workflows/integrations.yml
@@ -5,7 +5,7 @@ on:
   pull_request:
     branches: [ '*' ]
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  group: ${{ github.workflow }}-${{ github.ref_name }}
   cancel-in-progress: true
 env:
   CC: gcc
diff --git a/.github/workflows/windows-alt.yml b/.github/workflows/windows-alt.yml
index b684c0889d..8d73e1fecb 100644
--- a/.github/workflows/windows-alt.yml
+++ b/.github/workflows/windows-alt.yml
@@ -5,7 +5,7 @@ on:
   pull_request:
     branches: [ '*' ]
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  group: ${{ github.workflow }}-${{ github.ref_name }}
   cancel-in-progress: true
 jobs:
   mingw:
diff --git a/crypto/fipsmodule/rsa/rsa.c b/crypto/fipsmodule/rsa/rsa.c
index f0144b7230..c34b0b2ff5 100644
--- a/crypto/fipsmodule/rsa/rsa.c
+++ b/crypto/fipsmodule/rsa/rsa.c
@@ -836,6 +836,17 @@ void RSA_blinding_off_temp_for_accp_compatibility(RSA *rsa) {
   }
 }
 
+int RSA_pkey_ctx_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2) {
+  if (ctx != NULL && ctx->pmeth != NULL) {
+    if (ctx->pmeth->pkey_id == EVP_PKEY_RSA ||
+        ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) {
+      return EVP_PKEY_CTX_ctrl(ctx, -1, optype, cmd, p1, p2);
+    }
+    return -1;
+  }
+  return 0;
+}
+
 // ------------- KEY CHECKING FUNCTIONS ----------------
 //
 // Performs several checks on the public component of the given RSA key.
diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h
index 181ebc2912..894a008e5d 100644
--- a/include/openssl/rsa.h
+++ b/include/openssl/rsa.h
@@ -739,6 +739,16 @@ OPENSSL_EXPORT int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
 // a private exponent having blinding disabled.
 OPENSSL_EXPORT OPENSSL_DEPRECATED void RSA_blinding_off_temp_for_accp_compatibility(RSA *rsa);
 
+// RSA_pkey_ctx_ctrl is a vestigial OpenSSL function that has been obsoleted by
+// the EVP interface. External callers should not use this. Internal callers
+// should use |EVP_PKEY_CTX_ctrl| instead.
+//
+// This function directly calls |EVP_PKEY_CTX_ctrl| with some guards around the
+// key's type. The key type must either be RSA or RSA-PSS, otherwise -1 is
+// returned.
+OPENSSL_EXPORT OPENSSL_DEPRECATED int RSA_pkey_ctx_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd,
+                                                        int p1, void *p2);
+
 // RSA_generate_key behaves like |RSA_generate_key_ex|, which is what you
 // should use instead. It returns NULL on error, or a newly-allocated |RSA| on
 // success. This function is provided for compatibility only. The |callback|