fix: make gates transparent about fork PR skip behavior

- Remove `if: always()` from integration-gate, coverage-gate, codecov-gate, pipeline-gate
- Gates now naturally skip when their upstream dependencies are skipped (fork PR behavior)
- Prevents confusing "complete" status when nothing actually ran
- Fork PRs will show "skipped" in UI instead of obscuring behavior behind gate success
- Aligns with GitHub Actions standard job dependency semantics

.github/workflows/auto-add-to-project.yml

@@ -3,8 +3,6 @@ name: Auto-add issues and PRs to Project
 on:
   issues:
     types: [opened, reopened]
-  pull_request:
-    types: [opened, reopened]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.issue.number || github.event.pull_request.number }}

.github/workflows/cerberus-integration.yml

@@ -3,11 +3,6 @@ name: Cerberus Integration
 # Phase 2-3: Build Once, Test Many - Use registry image instead of building
 # This workflow now waits for docker-build.yml to complete and pulls the built image
 on:
-  workflow_run:
-    workflows:
-      - Docker Build, Publish & Test
-    types:
-      - completed
   workflow_dispatch:
     inputs:
       image_tag:

.github/workflows/ci-pipeline.yml

@@ -410,7 +410,6 @@ jobs:
       - integration-crowdsec
       - integration-waf
       - integration-ratelimit
-    if: always()
     steps:
       - name: Evaluate integration results
         run: |
@@ -529,7 +528,6 @@ jobs:
       - coverage-backend
       - coverage-frontend
       - e2e
-    if: always()
     steps:
       - name: Evaluate coverage results
         run: |
@@ -609,7 +607,6 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - codecov-upload
-    if: always()
     steps:
       - name: Evaluate Codecov upload results
         run: |
@@ -751,7 +748,6 @@ jobs:
       - security-codeql
       - security-trivy
       - security-supply-chain
-    if: always()
     steps:
       - name: Evaluate pipeline results
         run: |

.github/workflows/crowdsec-integration.yml

@@ -3,9 +3,6 @@ name: CrowdSec Integration
 # Phase 2-3: Build Once, Test Many - Use registry image instead of building
 # This workflow now waits for docker-build.yml to complete and pulls the built image
 on:
-  workflow_run:
-    workflows: ["Docker Build, Publish & Test"]
-    types: [completed]
   workflow_dispatch:
     inputs:
       image_tag:

.github/workflows/docker-build.yml

@@ -22,8 +22,6 @@ name: Docker Build, Publish & Test
 
 on:
   workflow_dispatch:
-  pull_request:
-  push:
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_branch || github.head_ref || github.ref_name }}

.github/workflows/gh_cache_cleanup.yml

@@ -1,8 +1,11 @@
 name: Cleanup github runner caches on closed pull requests
 on:
-  pull_request:
-    types:
-      - closed
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: 'PR number to clean caches for'
+        required: true
+        type: string
 
 jobs:
   cleanup:
@@ -25,4 +28,4 @@ jobs:
         env:
           GH_TOKEN: ${{ github.token }}
           GH_REPO: ${{ github.repository }}
-          BRANCH: refs/pull/${{ github.event.pull_request.number }}/merge
+          BRANCH: refs/pull/${{ inputs.pr_number }}/merge

.github/workflows/pr-checklist.yml

@@ -1,11 +1,15 @@
 name: PR Checklist Validation (History Rewrite)
 
 on:
-  pull_request:
-    types: [opened, edited, synchronize]
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: 'PR number to validate'
+        required: true
+        type: string
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  group: ${{ github.workflow }}-${{ inputs.pr_number || github.event.pull_request.number }}
   cancel-in-progress: true
 
 jobs:
@@ -18,11 +22,17 @@ jobs:
 
       - name: Validate PR checklist (only for history-rewrite changes)
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        env:
+          PR_NUMBER: ${{ inputs.pr_number }}
         with:
           script: |
             const owner = context.repo.owner;
             const repo = context.repo.repo;
-            const prNumber = context.issue.number;
+            const prNumber = Number(process.env.PR_NUMBER || context.issue.number);
+            if (!prNumber) {
+              core.setFailed('Missing PR number input for workflow_dispatch.');
+              return;
+            }
             const pr = await github.rest.pulls.get({owner, repo, pull_number: prNumber});
             const body = (pr.data && pr.data.body) || '';
 

.github/workflows/rate-limit-integration.yml

@@ -3,9 +3,6 @@ name: Rate Limit integration
 # Phase 2-3: Build Once, Test Many - Use registry image instead of building
 # This workflow now waits for docker-build.yml to complete and pulls the built image
 on:
-  workflow_run:
-    workflows: ["Docker Build, Publish & Test"]
-    types: [completed]
   workflow_dispatch:
     inputs:
       image_tag:

.github/workflows/renovate_prune.yml

@@ -4,8 +4,6 @@ on:
   workflow_dispatch:
   schedule:
     - cron: '0 3 * * *'   # daily at 03:00 UTC
-  pull_request:
-    types: [closed]      # also run when any PR is closed (makes pruning near-real-time)
 
 permissions:
   contents: write       # required to delete branch refs

.github/workflows/security-pr.yml

@@ -10,11 +10,6 @@ on:
         description: 'PR number to scan (optional)'
         required: false
         type: string
-  workflow_run:
-    workflows:
-      - Docker Build, Publish & Test
-    types:
-      - completed
 
 concurrency:
   group: security-pr-${{ github.event.workflow_run.event || github.event_name }}-${{ github.event.workflow_run.head_branch || github.ref }}

.github/workflows/supply-chain-pr.yml

@@ -9,11 +9,6 @@ on:
         description: "PR number to verify (optional, will auto-detect from workflow_run)"
         required: false
         type: string
-  workflow_run:
-    workflows:
-      - Docker Build, Publish & Test
-    types:
-      - completed
 
 concurrency:
   group: supply-chain-pr-${{ github.event.workflow_run.event || github.event_name }}-${{ github.event.workflow_run.head_branch || github.ref }}

.github/workflows/waf-integration.yml

@@ -3,9 +3,6 @@ name: WAF integration
 # Phase 2-3: Build Once, Test Many - Use registry image instead of building
 # This workflow now waits for docker-build.yml to complete and pulls the built image
 on:
-  workflow_run:
-    workflows: ["Docker Build, Publish & Test"]
-    types: [completed]
   workflow_dispatch:
     inputs:
       image_tag: