diff --git a/.github/workflows/auto-add-to-project.yml b/.github/workflows/auto-add-to-project.yml
index 0758c5e1..6ad861d1 100644
--- a/.github/workflows/auto-add-to-project.yml
+++ b/.github/workflows/auto-add-to-project.yml
@@ -10,15 +10,9 @@ jobs:
   add-to-project:
     runs-on: ubuntu-latest
     steps:
-      - name: Skip if PROJECT_URL not provided
-        run: |
-          if [ -z "${{ secrets.PROJECT_URL }}" ]; then
-            echo "PROJECT_URL secret not set; skipping add-to-project job."
-            exit 0
-          fi
-
       - name: Add issue or PR to project
         uses: actions/add-to-project@1b844f0c5ac6446a402e0cb3693f9be5eca188c5 # v0.6.1
+        continue-on-error: true
         with:
           project-url: ${{ secrets.PROJECT_URL }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 79e51d68..5a79ff06 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -96,33 +96,44 @@ jobs:
           build-args: |
             CADDY_IMAGE=${{ steps.caddy.outputs.image }}
 
-      # Step 8: Run Trivy security scan
-      - name: 🔍 Run Trivy vulnerability scanner
-        if: github.event_name != 'pull_request'
-        id: trivy
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-          exit-code: '1'
-          severity: 'CRITICAL,HIGH'
-
-      # Step 9: Upload Trivy results to GitHub Security tab
-      - name: 📤 Upload Trivy results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v3
-        if: github.event_name != 'pull_request' && steps.trivy.outcome == 'success'
-        with:
-          sarif_file: 'trivy-results.sarif'
-
-      # Step 10: Run Trivy with table output for workflow logs
+      # Step 8: Run Trivy scan (table output first for visibility)
       - name: 📋 Run Trivy scan (table output)
-        if: github.event_name != 'pull_request' && steps.trivy.outcome == 'success'
+        if: github.event_name != 'pull_request'
+        id: trivy_table
+        continue-on-error: true
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
           format: 'table'
           severity: 'CRITICAL,HIGH'
+          exit-code: '0'
+
+      # Step 9: Run Trivy security scan (SARIF)
+      - name: 🔍 Run Trivy vulnerability scanner
+        if: github.event_name != 'pull_request'
+        id: trivy
+        continue-on-error: true
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          exit-code: '0'
+          severity: 'CRITICAL,HIGH'
+
+      # Step 10: Upload Trivy results to GitHub Security tab
+      - name: 📤 Upload Trivy results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: github.event_name != 'pull_request' && (steps.trivy.outcome == 'success' || steps.trivy.outcome == 'failure')
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+      # Step 11: Fail if vulnerabilities found
+      - name: ❌ Check for vulnerabilities
+        if: github.event_name != 'pull_request' && steps.trivy_table.outcome == 'failure'
+        run: |
+          echo "::error::CRITICAL or HIGH vulnerabilities found in image"
+          exit 1
 
       # Step 11: Create a summary
       - name: 📋 Create summary
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 6a860ec1..0ea65e3a 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -82,27 +82,37 @@ jobs:
       - name: Image digest
         run: echo ${{ steps.build-and-push.outputs.digest }}
 
-      - name: Run Trivy vulnerability scanner
+      - name: Run Trivy scan (table output first for visibility)
         if: github.event_name != 'pull_request'
-        id: trivy
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-          exit-code: '1'
-          severity: 'CRITICAL,HIGH'
-
-      - name: Upload Trivy results to GitHub Security
-        if: github.event_name != 'pull_request' && steps.trivy.outcome == 'success'
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: 'trivy-results.sarif'
-
-      - name: Run Trivy scan (table output)
-        if: github.event_name != 'pull_request' && steps.trivy.outcome == 'success'
+        id: trivy_table
+        continue-on-error: true
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
           format: 'table'
           severity: 'CRITICAL,HIGH'
+          exit-code: '0'
+
+      - name: Run Trivy vulnerability scanner
+        if: github.event_name != 'pull_request'
+        id: trivy
+        continue-on-error: true
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          exit-code: '0'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy results to GitHub Security
+        if: github.event_name != 'pull_request' && (steps.trivy.outcome == 'success' || steps.trivy.outcome == 'failure')
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+      - name: Check for vulnerabilities
+        if: github.event_name != 'pull_request' && steps.trivy_table.outcome == 'failure'
+        run: |
+          echo "::error::CRITICAL or HIGH vulnerabilities found in image"
+          exit 1