diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml
index 1e3fc133..7d530c60 100644
--- a/.github/workflows/ansible-lint.yml
+++ b/.github/workflows/ansible-lint.yml
@@ -1,7 +1,13 @@
 ---
 name: Ansible Lint  # feel free to pick your own name
 
-on: [push, pull_request]   # yamllint disable-line rule:truthy
+on:  # yamllint disable-line rule:truthy
+  # Run CI against all pushes (direct commits, also merged PRs), Pull Requests
+  push:
+    branches: [master]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [master]
 
 jobs:
   ansible-lint:
diff --git a/.github/workflows/mysql_hardening.yml b/.github/workflows/mysql_hardening.yml
index 9a279ad2..bd2e27e2 100644
--- a/.github/workflows/mysql_hardening.yml
+++ b/.github/workflows/mysql_hardening.yml
@@ -1,13 +1,16 @@
 ---
 name: "devsec.mysql_hardening"
+
 on:  # yamllint disable-line rule:truthy
   workflow_dispatch:
   push:
+    branches: [master]
     paths:
       - 'roles/mysql_hardening/**'
       - 'molecule/mysql_hardening/**'
       - '.github/workflows/mysql_hardening.yml'
   pull_request:
+    branches: [master]
     paths:
       - 'roles/mysql_hardening/**'
       - 'molecule/mysql_hardening/**'
diff --git a/.github/workflows/nginx_hardening.yml b/.github/workflows/nginx_hardening.yml
index 5ff6a6f8..98ee6976 100644
--- a/.github/workflows/nginx_hardening.yml
+++ b/.github/workflows/nginx_hardening.yml
@@ -3,11 +3,13 @@ name: "devsec.nginx_hardening"
 on:  # yamllint disable-line rule:truthy
   workflow_dispatch:
   push:
+    branches: [master]
     paths:
       - 'roles/nginx_hardening/**'
       - 'molecule/nginx_hardening/**'
       - '.github/workflows/nginx_hardening.yml'
   pull_request:
+    branches: [master]
     paths:
       - 'roles/nginx_hardening/**'
       - 'molecule/nginx_hardening/**'
diff --git a/.github/workflows/os_hardening.yml b/.github/workflows/os_hardening.yml
index 13fe561b..75c8db06 100644
--- a/.github/workflows/os_hardening.yml
+++ b/.github/workflows/os_hardening.yml
@@ -3,11 +3,13 @@ name: "devsec.os_hardening"
 on:  # yamllint disable-line rule:truthy
   workflow_dispatch:
   push:
+    branches: [master]
     paths:
       - 'roles/os_hardening/**'
       - 'molecule/os_hardening/**'
       - '.github/workflows/os_hardening.yml'
   pull_request:
+    branches: [master]
     paths:
       - 'roles/os_hardening/**'
       - 'molecule/os_hardening/**'
diff --git a/.github/workflows/os_hardening_vm.yml b/.github/workflows/os_hardening_vm.yml
index 01de2033..2a663733 100644
--- a/.github/workflows/os_hardening_vm.yml
+++ b/.github/workflows/os_hardening_vm.yml
@@ -3,11 +3,13 @@ name: "devsec.os_hardening VM"
 on:  # yamllint disable-line rule:truthy
   workflow_dispatch:
   push:
+    branches: [master]
     paths:
       - 'roles/os_hardening/**'
       - 'molecule/os_hardening_vm/**'
       - '.github/workflows/os_hardening_vm.yml'
   pull_request:
+    branches: [master]
     paths:
       - 'roles/os_hardening/**'
       - 'molecule/os_hardening_vm/**'
diff --git a/.github/workflows/prettier-md.yml b/.github/workflows/prettier-md.yml
index 188fa57b..cc574581 100644
--- a/.github/workflows/prettier-md.yml
+++ b/.github/workflows/prettier-md.yml
@@ -4,6 +4,7 @@ name: Prettier markdown files
 
 on:  # yamllint disable-line rule:truthy
   push:
+    branches: [master]
     paths:
       - '**.md'
 
diff --git a/.github/workflows/ssh_hardening.yml b/.github/workflows/ssh_hardening.yml
index db3febff..8bce9a8d 100644
--- a/.github/workflows/ssh_hardening.yml
+++ b/.github/workflows/ssh_hardening.yml
@@ -3,11 +3,13 @@ name: "devsec.ssh_hardening"
 on:  # yamllint disable-line rule:truthy
   workflow_dispatch:
   push:
+    branches: [master]
     paths:
       - 'roles/ssh_hardening/**'
       - 'molecule/ssh_hardening/**'
       - '.github/workflows/ssh_hardening.yml'
   pull_request:
+    branches: [master]
     paths:
       - 'roles/ssh_hardening/**'
       - 'molecule/ssh_hardening/**'
diff --git a/.github/workflows/ssh_hardening_custom_tests.yml b/.github/workflows/ssh_hardening_custom_tests.yml
index 4f112971..8681a503 100644
--- a/.github/workflows/ssh_hardening_custom_tests.yml
+++ b/.github/workflows/ssh_hardening_custom_tests.yml
@@ -3,11 +3,13 @@ name: "devsec.ssh_hardening with custom tests"
 on:  # yamllint disable-line rule:truthy
   workflow_dispatch:
   push:
+    branches: [master]
     paths:
       - 'roles/ssh_hardening/**'
       - 'molecule/ssh_hardening_custom_tests/**'
       - '.github/workflows/ssh_hardening_custom_tests.yml'
   pull_request:
+    branches: [master]
     paths:
       - 'roles/ssh_hardening/**'
       - 'molecule/ssh_hardening_custom_tests/**'