From a0471e24648ef29ef6a3c681eb5b9917ae910258 Mon Sep 17 00:00:00 2001
From: ethernet <arilotter@gmail.com>
Date: Tue, 23 Jun 2026 12:35:17 -0400
Subject: [PATCH] fix(ci): only run supplychain checks in pr

---
 .github/workflows/ci.yml       |  6 +++---
 scripts/ci/classify_changes.py | 17 ++++++++++++-----
 2 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index cb8e2840a04..3eb59b032a1 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -18,8 +18,8 @@ on:
 
 permissions:
   contents: read
-  pull-requests: write  # needed by lint (PR comment) + supply-chain (PR comment)
-  actions: read          # needed by osv-scanner (SARIF upload)
+  pull-requests: write # needed by lint (PR comment) + supply-chain (PR comment)
+  actions: read # needed by osv-scanner (SARIF upload)
   security-events: write # needed by osv-scanner (SARIF upload)
 
 concurrency:
@@ -96,7 +96,7 @@ jobs:
 
   supply-chain:
     needs: detect
-    if: needs.detect.outputs.scan == 'true' || needs.detect.outputs.deps == 'true' || needs.detect.outputs.mcp_catalog == 'true'
+    if: needs.detect.outputs.event_name == 'pull_request' && (needs.detect.outputs.scan == 'true' || needs.detect.outputs.deps == 'true' || needs.detect.outputs.mcp_catalog == 'true')
     uses: ./.github/workflows/supply-chain-audit.yml
     with:
       event_name: ${{ needs.detect.outputs.event_name }}
diff --git a/scripts/ci/classify_changes.py b/scripts/ci/classify_changes.py
index c6ce4d5834b..00ed02d6589 100644
--- a/scripts/ci/classify_changes.py
+++ b/scripts/ci/classify_changes.py
@@ -70,11 +70,7 @@ def _is_mcp_catalog(p: str) -> bool:
 def classify(files: list[str]) -> dict[str, bool]:
     """Map changed paths to ``{lane: should_run}``."""
     files = [f.strip() for f in files if f.strip()]
-    if not files or any(f.startswith(".github/") for f in files):
-        return dict.fromkeys(
-            ("python", "docker_meta", "frontend", "site", "scan", "deps", "mcp_catalog"), True
-        )
-    return {
+    ret = {
         "python": any(not _py_irrelevant(f) for f in files),
         "docker_meta":  any(f.startswith(_DOCKER_META) for f in files),
         "frontend": any(f.startswith(_FRONTEND) or f in _ROOT_NPM for f in files),
@@ -83,6 +79,17 @@ def classify(files: list[str]) -> dict[str, bool]:
         "deps": any(f == "pyproject.toml" for f in files),
         "mcp_catalog": any(_is_mcp_catalog(f) for f in files),
     }
+    if not files or any(f.startswith(".github/") for f in files):
+        ret["python"] = True
+        ret["docker_meta"] = True
+        ret["frontend"] = True
+        ret["site"] = True
+        ret["scan"] = True
+        ret["deps"] = True
+
+        # explicitly skip mcp catalog here. it's not needed unless those files are modified.
+    return ret
+
 
 
 def main() -> int: