diff --git a/.github/workflows/test-library.yml b/.github/workflows/test-library.yml
index 2f05f1ff51..2b9323f232 100644
--- a/.github/workflows/test-library.yml
+++ b/.github/workflows/test-library.yml
@@ -8,20 +8,36 @@ on:
 
 jobs:
   test-lib:
+    # If jobs cancel, consider pinning to ubuntu-24.04
+    # The ubuntu-latest alias can point to different images during migrations (and sometimes be extra busy),
+    # while ubuntu-24.04 always targets the 24.04 pool
     runs-on: ubuntu-latest
+
+    # The timeout is run time after a runner starts, not time in queue
     timeout-minutes: 15
 
     strategy:
       fail-fast: false
+
+      # Limit concurrent jobs for scheduling problem on GitHub's hosted runner pool.
+      max-parallel: 12
+
       matrix:
-        math: [SPMATH=1 WOLFBOOT_SMALL_STACK=0,
-               SPMATH=1 WOLFBOOT_SMALL_STACK=1,
-               SPMATHALL=1 WOLFBOOT_SMALL_STACK=0,
-               SPMATHALL=1 WOLFBOOT_SMALL_STACK=1,
-               SPMATH=0 SPMATHALL=0 WOLFBOOT_SMALL_STACK=0,
-               SPMATH=0 SPMATHALL=0 WOLFBOOT_SMALL_STACK=1]
+        math:
+          - "SPMATH=1 WOLFBOOT_SMALL_STACK=0"
+          - "SPMATH=1 WOLFBOOT_SMALL_STACK=1"
+          - "SPMATHALL=1 WOLFBOOT_SMALL_STACK=0"
+          - "SPMATHALL=1 WOLFBOOT_SMALL_STACK=1"
+          - "SPMATH=0 SPMATHALL=0 WOLFBOOT_SMALL_STACK=0"
+          - "SPMATH=0 SPMATHALL=0 WOLFBOOT_SMALL_STACK=1"
         asym: [ed25519, ecc256, ecc384, ecc521, rsa2048, rsa3072, rsa4096, ed448]
         hash: [sha256, sha384, sha3]
+
+        # See https://github.com/wolfSSL/wolfBoot/issues/614 regarding exclusions:
+        exclude:
+          - math: "SPMATH=1 WOLFBOOT_SMALL_STACK=1"
+          - math: "SPMATHALL=1 WOLFBOOT_SMALL_STACK=1"
+
     steps:
       - uses: actions/checkout@v4
         with:
@@ -33,16 +49,50 @@ jobs:
 
       - name: Build test-lib
         env:
+          shell: bash
           ASYM: ${{ matrix.asym }}
           HASH: ${{ matrix.hash }}
+          MATH: ${{ matrix.math }}
         run: |
+          # Sample build
+          build_once() {
+              # Convert asym and hash to upper case, optionally add additional param
+              make -j test-lib SIGN=${ASYM^^} HASH=${HASH^^} ${MATH} "$@"
+          }
+
+          set -euo pipefail
+
+          # Get the reference config
           cp config/examples/library.config .config
+
+          # Keytools
           make keytools
-          ./tools/keytools/keygen --${{ matrix.asym }} -g wolfboot_signing_private_key.der
+          ./tools/keytools/keygen --${ASYM} -g wolfboot_signing_private_key.der
+
+          # Sign
           echo "Test" > test.bin
-          ./tools/keytools/sign --${{ matrix.asym }} --${{ matrix.hash }} test.bin wolfboot_signing_private_key.der 1
-          # Convert asym and hash to upper case
-          make test-lib SIGN=${ASYM^^} HASH=${HASH^^}
+          ./tools/keytools/sign --${ASYM} --${HASH} test.bin wolfboot_signing_private_key.der 1
+
+          # First attempt
+          if build_once >build.out 2>build.err; then
+            echo "Success on first attempt, WOLFBOOT_HUGE_STACK not applied."
+            exit 0
+          fi
+
+          # If it failed due to the TFM huge stack guard, retry with the flag
+          if grep -Fq 'If this is OK, please compile with WOLFBOOT_HUGE_STACK=1' build.err; then
+            echo "Retrying with WOLFBOOT_HUGE_STACK=1 due to stack requirement error."
+
+            # Always print the entire message
+            grep -Fn 'If this is OK, please compile with WOLFBOOT_HUGE_STACK=1' build.err || true
+
+            # Try again with huge stack allowed
+            build_once WOLFBOOT_HUGE_STACK=1
+          else
+            echo "Build failed for another reason:"
+            cat build.err
+            exit 1
+          fi
 
       - name: Run test-lib
         run: |