From ac1bffd41addbb00c75c7cf947b430f2356ebfcf Mon Sep 17 00:00:00 2001
From: David Abutbul <David.a@prompt.security>
Date: Thu, 26 Feb 2026 12:23:06 +0200
Subject: [PATCH] fix pipelines

---
 .github/workflows/ci.yml           |  4 +--
 .github/workflows/codeql.yml       |  2 --
 .github/workflows/deploy-pages.yml | 40 ++++++++++++------------------
 .github/workflows/scorecard.yml    |  2 --
 4 files changed, 18 insertions(+), 30 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4d744ea..9fbefd4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -3,8 +3,7 @@ name: CI
 on:
   pull_request:
     branches: [main]
-  push:
-    branches: [main]
+  workflow_dispatch:
 
 permissions: read-all
 
@@ -31,6 +30,7 @@ jobs:
       - name: TypeScript Check
         run: npx tsc --noEmit
       - name: Build Check
+        if: matrix.os == 'ubuntu-latest'
         run: npm run build
 
   lint-python:
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index e5a6f90..3634102 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -1,8 +1,6 @@
 name: CodeQL
 
 on:
-  push:
-    branches: [main]
   pull_request:
     branches: [main]
   workflow_dispatch:
diff --git a/.github/workflows/deploy-pages.yml b/.github/workflows/deploy-pages.yml
index e024e11..f5b1812 100644
--- a/.github/workflows/deploy-pages.yml
+++ b/.github/workflows/deploy-pages.yml
@@ -1,8 +1,10 @@
 name: Deploy to GitHub Pages
 
 on:
+  push:
+    branches: [main]
   workflow_run:
-    workflows: ["CI", "Skill Release"]
+    workflows: ["Skill Release"]
     types: [completed]
   workflow_dispatch:
 
@@ -18,24 +20,19 @@ concurrency:
 jobs:
   build:
     runs-on: ubuntu-latest
-    # Production build only: manual dispatch or trusted workflow_run sources.
+    # Production build only: manual dispatch, push to main, or trusted release workflows.
     # PR validation runs in .github/workflows/pages-verify.yml.
     if: |
       github.event_name == 'workflow_dispatch' ||
+      (
+        github.event_name == 'push' &&
+        github.ref_name == 'main'
+      ) ||
       (
         github.event_name == 'workflow_run' &&
         github.event.workflow_run.conclusion == 'success' &&
-        (
-          (
-            github.event.workflow_run.name == 'CI' &&
-            github.event.workflow_run.event == 'push' &&
-            github.event.workflow_run.head_branch == 'main'
-          ) ||
-          (
-            github.event.workflow_run.name == 'Skill Release' &&
-            github.event.workflow_run.event != 'pull_request'
-          )
-        )
+        github.event.workflow_run.name == 'Skill Release' &&
+        github.event.workflow_run.event != 'pull_request'
       )
     steps:
       - name: Checkout
@@ -420,20 +417,15 @@ jobs:
     # Deploy after a production build succeeds.
     if: |
       github.event_name == 'workflow_dispatch' ||
+      (
+        github.event_name == 'push' &&
+        github.ref_name == 'main'
+      ) ||
       (
         github.event_name == 'workflow_run' &&
         github.event.workflow_run.conclusion == 'success' &&
-        (
-          (
-            github.event.workflow_run.name == 'CI' &&
-            github.event.workflow_run.event == 'push' &&
-            github.event.workflow_run.head_branch == 'main'
-          ) ||
-          (
-            github.event.workflow_run.name == 'Skill Release' &&
-            github.event.workflow_run.event != 'pull_request'
-          )
-        )
+        github.event.workflow_run.name == 'Skill Release' &&
+        github.event.workflow_run.event != 'pull_request'
       )
     environment:
       name: github-pages
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 6eccd39..0b2c1b7 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -11,8 +11,6 @@ on:
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
   schedule:
     - cron: '19 23 * * 0'
-  push:
-    branches: [ "main" ]
 
 # Declare default permissions as read only.
 permissions: read-all