chore: harden secrets baseline CI decision

Signed-off-by: lucarlig <luca.carlig@ibm.com>

Author: lucarlig

.github/workflows/alembic-upgrade-validation.yml

@@ -47,14 +47,8 @@ permissions:
   actions: read
 
 jobs:
-  ci-decision:
-    uses: ./.github/workflows/secret-baseline-ci-decision.yml
-    with:
-      workflow-file: alembic-upgrade-validation.yml
-
   upgrade-validation:
-    needs: ci-decision
-    if: needs.ci-decision.outputs.run-full-ci == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft)
+    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
     name: SQLite + PostgreSQL Fresh/Upgrade
     runs-on: ubuntu-latest
     timeout-minutes: 50

.github/workflows/dependency-review.yml

@@ -45,20 +45,13 @@ concurrency:
 # Minimal permissions - principle of least privilege
 # -----------------------------------------------------------------
 permissions:
-  actions: read
   contents: read # for actions/checkout
   security-events: write # upload SARIF results
   pull-requests: write # post / overwrite PR comment
 
 jobs:
-  ci-decision:
-    uses: ./.github/workflows/secret-baseline-ci-decision.yml
-    with:
-      workflow-file: dependency-review.yml
-
   dependency-review:
-    needs: ci-decision
-    if: needs.ci-decision.outputs.run-full-ci == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft)
+    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
     runs-on: ubuntu-slim
     timeout-minutes: 15
 

.github/workflows/docker-multiplatform.yml

@@ -45,22 +45,18 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
-  actions: read
   contents: read
 
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
 
 jobs:
-  ci-decision:
-    uses: ./.github/workflows/secret-baseline-ci-decision.yml
-    with:
-      workflow-file: docker-multiplatform.yml
-
+  # ---------------------------------------------------------------
+  # Build each platform in parallel
+  # ---------------------------------------------------------------
   build:
-    needs: ci-decision
-    if: needs.ci-decision.outputs.run-full-ci == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft)
+    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
     name: Build ${{ matrix.suffix }}
     strategy:
       fail-fast: false

.github/workflows/docker-scan.yml

@@ -39,21 +39,14 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
-  actions: read
   contents: read
 
 env:
   IMAGE_NAME: mcp-context-forge-scan
 
 jobs:
-  ci-decision:
-    uses: ./.github/workflows/secret-baseline-ci-decision.yml
-    with:
-      workflow-file: docker-scan.yml
-
   container-smoke:
-    needs: ci-decision
-    if: needs.ci-decision.outputs.run-full-ci == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft)
+    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
     name: Container Smoke (${{ matrix.name }})
     runs-on: ubuntu-latest
     timeout-minutes: 30
@@ -93,8 +86,7 @@ jobs:
   # Build image and generate SBOM
   # ---------------------------------------------------------------
   scan:
-    needs: ci-decision
-    if: needs.ci-decision.outputs.run-full-ci == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft)
+    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
     name: Security Scan
     runs-on: ubuntu-latest
     timeout-minutes: 30
@@ -160,8 +152,7 @@ jobs:
           retention-days: 30
 
   rust-enabled-build:
-    needs: ci-decision
-    if: needs.ci-decision.outputs.run-full-ci == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft)
+    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
     name: Rust-enabled container smoke
     runs-on: ubuntu-latest
     timeout-minutes: 60

.github/workflows/helm-publish.yml

@@ -42,19 +42,15 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
-  actions: read
   contents: read
 
 jobs:
-  ci-decision:
-    uses: ./.github/workflows/secret-baseline-ci-decision.yml
-    with:
-      workflow-file: helm-publish.yml
-
+  # -----------------------------------------------------------------------
+  # Lint – always runs to catch chart issues early
+  # -----------------------------------------------------------------------
   lint:
     name: Lint chart
-    needs: ci-decision
-    if: needs.ci-decision.outputs.run-full-ci == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft)
+    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
     runs-on: ubuntu-slim
     timeout-minutes: 10
 

.github/workflows/license-check.yml

@@ -21,18 +21,11 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
-  actions: read
   contents: read
 
 jobs:
-  ci-decision:
-    uses: ./.github/workflows/secret-baseline-ci-decision.yml
-    with:
-      workflow-file: license-check.yml
-
   license-check:
-    needs: ci-decision
-    if: needs.ci-decision.outputs.run-full-ci == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft)
+    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
     runs-on: ubuntu-latest
     timeout-minutes: 20
     steps:

.github/workflows/lint-web.yml

@@ -25,18 +25,11 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
-  actions: read
   contents: read
 
 jobs:
-  ci-decision:
-    uses: ./.github/workflows/secret-baseline-ci-decision.yml
-    with:
-      workflow-file: lint-web.yml
-
   lint-web:
-    needs: ci-decision
-    if: needs.ci-decision.outputs.run-full-ci == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft)
+    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
     strategy:
       fail-fast: false
       matrix:
@@ -146,8 +139,7 @@ jobs:
   # 🐍 Python-based JS Security Scanner (separate job)
   # -------------------------------------------------------
   nodejsscan:
-    needs: ci-decision
-    if: needs.ci-decision.outputs.run-full-ci == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft)
+    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
     name: nodejsscan
     runs-on: ubuntu-latest
     timeout-minutes: 20

.github/workflows/lint.yml

@@ -24,7 +24,6 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
-  actions: read
   contents: read
 
 # Keep these pins in lockstep with the *_VERSION variables in the Makefile.
@@ -41,14 +40,11 @@ env:
   TOMLCHECK_VERSION: "0.2.3"
 
 jobs:
-  ci-decision:
-    uses: ./.github/workflows/secret-baseline-ci-decision.yml
-    with:
-      workflow-file: lint.yml
-
+  # ---------------------------------------------------------------
+  # Python linters - run on both mcpgateway/ and plugins/
+  # ---------------------------------------------------------------
   python-lint:
-    needs: ci-decision
-    if: needs.ci-decision.outputs.run-full-ci == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft)
+    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
     strategy:
       fail-fast: false
       matrix:
@@ -101,8 +97,7 @@ jobs:
   # Repo-wide syntax/format checkers (run once, not per-target)
   # ---------------------------------------------------------------
   syntax-check:
-    needs: ci-decision
-    if: needs.ci-decision.outputs.run-full-ci == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft)
+    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
     strategy:
       fail-fast: false
       matrix:

.github/workflows/linting-full.yml

@@ -20,18 +20,11 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
-  actions: read
   contents: read
 
 jobs:
-  ci-decision:
-    uses: ./.github/workflows/secret-baseline-ci-decision.yml
-    with:
-      workflow-file: linting-full.yml
-
   linting-full:
-    needs: ci-decision
-    if: needs.ci-decision.outputs.run-full-ci == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft)
+    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
     name: linting-full
     runs-on: ubuntu-slim
     timeout-minutes: 30

.github/workflows/playwright.yml

@@ -12,22 +12,15 @@ on:
   workflow_dispatch:
 
 permissions:
-  actions: read
   contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
-  ci-decision:
-    uses: ./.github/workflows/secret-baseline-ci-decision.yml
-    with:
-      workflow-file: playwright.yml
-
   playwright-ci-smoke:
-    needs: ci-decision
-    if: needs.ci-decision.outputs.run-full-ci == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft)
+    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
     name: playwright-ci-smoke
     runs-on: ubuntu-24.04
     timeout-minutes: 40