diff --git a/.github/workflows/nightly-build.yml b/.github/workflows/nightly-build.yml
index aadac0d5..f4d06590 100644
--- a/.github/workflows/nightly-build.yml
+++ b/.github/workflows/nightly-build.yml
@@ -232,50 +232,13 @@ jobs:
           docker stop charon-nightly
           docker rm charon-nightly
 
-  build-nightly-release:
-    needs: test-nightly-image
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-
-    steps:
-      - name: Checkout nightly branch
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          ref: nightly
-          fetch-depth: 0
-
-      - name: Set up Go
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5  # v6.2.0
-        with:
-          go-version: '1.25.6'
-
-      - name: Set up Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238  # v6.2.0
-        with:
-          node-version: '24.13.0'
-
-      - name: Build frontend
-        working-directory: ./frontend
-        run: |
-          npm ci
-          npm run build
-
-      - name: Run GoReleaser (snapshot mode)
-        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a  # v6.4.0
-        with:
-          distribution: goreleaser
-          version: '~> v2'
-          args: release --snapshot --skip=publish --clean
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Upload nightly binaries
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f  # v6.0.0
-        with:
-          name: nightly-binaries
-          path: dist/*
-          retention-days: 30
+  # NOTE: Standalone binary builds removed - Charon uses Docker-only deployment
+  # The build-nightly-release job that ran GoReleaser for Windows/macOS/Linux binaries
+  # was removed because:
+  # 1. Charon is distributed exclusively via Docker images
+  # 2. Cross-compilation was failing due to Unix-specific syscalls
+  # 3. No users download standalone binaries (all use Docker)
+  # If standalone binaries are needed in the future, re-add the job with Linux-only targets
 
   verify-nightly-supply-chain:
     needs: build-and-push-nightly
diff --git a/.github/workflows/propagate-changes.yml b/.github/workflows/propagate-changes.yml
index 332cb92c..d86e20e5 100644
--- a/.github/workflows/propagate-changes.yml
+++ b/.github/workflows/propagate-changes.yml
@@ -86,7 +86,9 @@ jobs:
                 }
 
                 // Load propagation config (list of sensitive paths) from .github/propagate-config.yml when available
-                let configPaths = ['scripts/history-rewrite/', 'data/backups', 'docs/plans/history_rewrite.md', '.github/workflows/'];
+                // NOTE: .github/workflows/ was removed from defaults - workflow updates SHOULD propagate
+                // to ensure downstream branches have correct CI/CD configurations
+                let configPaths = ['scripts/history-rewrite/', 'data/backups', 'docs/plans/history_rewrite.md'];
                 try {
                   const configResp = await github.rest.repos.getContent({ owner: context.repo.owner, repo: context.repo.repo, path: '.github/propagate-config.yml', ref: src });
                   const contentStr = Buffer.from(configResp.data.content, 'base64').toString('utf8');