Prevent CI from running publish-release for non-code changes

.github/workflows/on-push-master.yml

@@ -5,13 +5,11 @@ name: On push to master branch
 on:
   push:
     branches: [master]
+    paths-ignore:
+      - ".github/**"
+      - "*.md"
 
 jobs:
-  harden-ci-security:
-    uses: ./.github/workflows/harden-ci-security.yml
-    with:
-      ref: ${{ github.event.ref }}
-
   run-tests:
     uses: ./.github/workflows/run-tests.yml
     with:

.github/workflows/on-push-other-branch.yml

@@ -5,13 +5,11 @@ name: On push to a secondary branch
 on:
   push:
     branches-ignore: [master]
+    paths-ignore:
+      - ".github/**"
+      - "*.md"
 
 jobs:
-  harden-ci-security:
-    uses: ./.github/workflows/harden-ci-security.yml
-    with:
-      ref: ${{ github.event.ref }}
-
   run-tests:
     uses: ./.github/workflows/run-tests.yml
     with:

.github/workflows/on-update-dot-github.yml

@@ -0,0 +1,14 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+
+name: On changes to .github
+
+on:
+  push:
+    paths-ignore:
+      - "./.github/**"
+
+jobs:
+  harden-ci-security:
+    uses: ./.github/workflows/harden-ci-security.yml
+    with:
+      ref: ${{ github.event.ref }}