🤖 ci(workflows): reduce redundant workflow runs

SamErde · Copilot · SamErde · commit 786225096078 · 2026-04-29T08:11:19.000-04:00
Limit push-triggered lint workflows to main, add manual dispatch where useful, and tighten workflow token permissions.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/.github/workflows/GitGuardian.yml b/.github/workflows/GitGuardian.yml
@@ -2,7 +2,12 @@
 ---
 name: GitGuardian
 
-on: [push]
+on:
+  push:
+  workflow_dispatch:
+
+permissions:
+  contents: read
 
 jobs:
   scanning:
diff --git a/.github/workflows/MegaLinter.yml b/.github/workflows/MegaLinter.yml
@@ -3,17 +3,18 @@
 ---
 name: MegaLinter
 
-# Trigger mega-linter at every push. Action will also be visible from Pull
-# Requests to main
+# Trigger MegaLinter for pull requests, then re-check the merged result on main.
 on:
-  # Comment this line to trigger action only on pull-requests
-  # (not recommended if you don't pay for GH Actions)
   push:
+    branches:
+      - main
 
   pull_request:
     branches:
       - main
 
+  workflow_dispatch:
+
 concurrency:
   group: ${{ github.ref }}-${{ github.workflow }}
   cancel-in-progress: true
@@ -26,11 +27,8 @@ jobs:
     name: MegaLinter
     runs-on: ubuntu-latest
 
-    # Give the default GITHUB_TOKEN write permission to commit and push, comment
-    # issues & post new PR; remove the ones you do not need
     permissions:
       contents: read
-      issues: read
       pull-requests: read
 
     steps:
@@ -44,11 +42,8 @@ jobs:
       - name: Checkout Code
         uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
         with:
-          token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
-
-          # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to
-          # improve performance
-          fetch-depth: 0
+          # Pull requests need history for diff linting; main pushes validate all code.
+          fetch-depth: ${{ github.event_name == 'pull_request' && '0' || '1' }}
 
       # MegaLinter
       - name: MegaLinter
diff --git a/.github/workflows/PSScriptAnalyzer.yml b/.github/workflows/PSScriptAnalyzer.yml
@@ -6,10 +6,17 @@ name: PSScriptAnalyzer
 
 on:
   push:
+    branches:
+      - main
+  workflow_dispatch:
 
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   build:
     permissions:
