diff --git a/.github/workflows/CICD.yml b/.github/workflows/CICD.yml
index 21f6fbbe792..e7d1fa4a403 100644
--- a/.github/workflows/CICD.yml
+++ b/.github/workflows/CICD.yml
@@ -9,13 +9,9 @@ on:
       - '*'
     paths-ignore:
       - '**/*.md'
-      - 'public/dist/*.js'
-      - 'public/dist/**/*.js'
   pull_request:
     paths-ignore:
       - '**/*.md'
-      - 'public/dist/*.js'
-      - 'public/dist/**/*.js'
   # Allow manually triggering the workflow.
   workflow_dispatch:
 
@@ -27,9 +23,53 @@ concurrency:
   cancel-in-progress: ${{ !contains(github.ref, 'master') && !startsWith(github.ref, 'refs/tags/') }} # Only cancel previous runs on non-master/non-tag branches.
 
 jobs:
+  changes:
+    name: 0️⃣ Detect changed files
+    runs-on: ubuntu-latest
+    outputs:
+      js: ${{ steps.filter.outputs.js }}
+      php: ${{ steps.filter.outputs.php }}
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+
+      - name: Checkout code
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+
+      - name: Filter paths
+        uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
+        id: filter
+        with:
+          filters: |
+            js:
+              - 'resources/**'
+              - 'package.json'
+              - 'package-lock.json'
+              - 'tsconfig.json'
+              - 'vite.config.ts'
+              - 'vite.embed.config.ts'
+              - 'vite/**'
+              - 'eslint.config.ts'
+              - '.prettierrc.json'
+            php:
+              - '**/*.php'
+              - 'composer.json'
+              - 'composer.lock'
+              - 'phpstan.neon'
+              - 'phpstan-baseline.neon'
+              - 'phpstan/**'
+              - '.php-cs-fixer.php'
+              - 'phpunit.xml'
+              - 'phpunit.ci.xml'
+              - 'phpunit.pgsql.xml'
+
   php_syntax_errors:
     name: 0️⃣ PHP 8.4 - Syntax errors
     runs-on: ubuntu-latest
+    needs: changes
+    if: github.event_name != 'pull_request' || needs.changes.outputs.php == 'true'
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
@@ -52,6 +92,8 @@ jobs:
 
   check_js:
     name: 0️⃣ JS front-end
+    needs: changes
+    if: github.event_name != 'pull_request' || needs.changes.outputs.js == 'true'
     uses: ./.github/workflows/js_check.yml
 
   code_style_errors:
@@ -149,6 +191,7 @@ jobs:
   docker_check:
     name: 3️⃣ Dockerfile Lint
     runs-on: ubuntu-latest
+    if: always() && (needs.phpstan.result == 'success' || needs.phpstan.result == 'skipped') && (needs.check_js.result == 'success' || needs.check_js.result == 'skipped')
     needs:
       - phpstan
       - check_js
@@ -258,6 +301,7 @@ jobs:
   docker_legacy_check:
     name: 3️⃣ Legacy Dockerfile Lint
     runs-on: ubuntu-latest
+    if: always() && (needs.phpstan.result == 'success' || needs.phpstan.result == 'skipped') && (needs.check_js.result == 'success' || needs.check_js.result == 'skipped')
     needs:
       - phpstan
       - check_js
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 44f5a790f31..a46d059f745 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -50,7 +50,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@08bc0cf022445eacafaa248bf48da20f26b8fd40 # v3.28.6
+        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -60,7 +60,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@08bc0cf022445eacafaa248bf48da20f26b8fd40 # v3.28.6
+        uses: github/codeql-action/autobuild@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -73,6 +73,6 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@08bc0cf022445eacafaa248bf48da20f26b8fd40 # v3.28.6
+        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
         with:
           category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 185e98fe5e6..852bf131fe0 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -72,6 +72,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@08bc0cf022445eacafaa248bf48da20f26b8fd40 # v2.16.4
+        uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
         with:
           sarif_file: results.sarif