diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 2e3a3ece..30943eae 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -4,7 +4,7 @@ on:
   pull_request:
     branches: [main, nightly, development]
   push:
-    branches: [main, nightly, development, 'feature/**', 'fix/**']
+    branches: [main]
   workflow_dispatch:
   schedule:
     - cron: '0 3 * * 1' # Mondays 03:00 UTC
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 42791431..f2eeb650 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -23,6 +23,7 @@ name: Docker Build, Publish & Test
 on:
   pull_request:
   push:
+    branches: [main]
   workflow_dispatch:
   workflow_run:
     workflows: ["Docker Lint"]
diff --git a/.github/workflows/security-pr.yml b/.github/workflows/security-pr.yml
index bd93f198..7c0c5256 100644
--- a/.github/workflows/security-pr.yml
+++ b/.github/workflows/security-pr.yml
@@ -15,6 +15,7 @@ on:
         type: string
   pull_request:
   push:
+    branches: [main]
 
 
 concurrency:
diff --git a/scripts/ci/check-codeql-parity.sh b/scripts/ci/check-codeql-parity.sh
index e2928186..b19b8735 100755
--- a/scripts/ci/check-codeql-parity.sh
+++ b/scripts/ci/check-codeql-parity.sh
@@ -116,8 +116,8 @@ ensure_event_branches_semantic \
 ensure_event_branches_semantic \
   "$CODEQL_WORKFLOW" \
   "push" \
-  "branches: [main, nightly, development, 'feature/**', 'fix/**']" \
-  "main" "nightly" "development" "feature/**" "fix/**" || fail "codeql.yml push branches must be [main, nightly, development, 'feature/**', 'fix/**']"
+  "branches: [main]" \
+  "main" || fail "codeql.yml push branches must be [main]"
 grep -Fq 'queries: security-and-quality' "$CODEQL_WORKFLOW" || fail "codeql.yml must pin init queries to security-and-quality"
 ensure_task_command "$TASKS_FILE" "Security: CodeQL Go Scan (CI-Aligned) [~60s]" "bash scripts/pre-commit-hooks/codeql-go-scan.sh" || fail "Missing or mismatched CI-aligned Go CodeQL task (label+command)"
 ensure_task_command "$TASKS_FILE" "Security: CodeQL JS Scan (CI-Aligned) [~90s]" "bash scripts/pre-commit-hooks/codeql-js-scan.sh" || fail "Missing or mismatched CI-aligned JS CodeQL task (label+command)"