diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index e3243097d..a5ac537f1 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -1,6 +1,39 @@
 name: "CodeQL Code Scanning"
 
-on: [push, pull_request, workflow_dispatch]
+on:
+  push:
+    # NOTE: `!` doesn't work with `paths-ignore` :(
+    # So we a catch-all glob instead
+    # https://github.com/orgs/community/discussions/25369#discussioncomment-3247674
+    paths:
+      - "**"
+      - "!.github/**"
+      - ".github/workflows/codeql.yml"
+      - "!flatpak/"
+      - "!nix/"
+      - "!scripts/"
+
+      - "!.git*"
+      - "!.envrc"
+      - "!**.md"
+      - "COPYING.md"
+      - "!renovate.json"
+  pull_request:
+    # See above
+    paths:
+      - "**"
+      - "!.github/**"
+      - ".github/workflows/codeql.yml"
+      - "!flatpak/"
+      - "!nix/"
+      - "!scripts/"
+
+      - "!.git*"
+      - "!.envrc"
+      - "!**.md"
+      - "COPYING.md"
+      - "!renovate.json"
+  workflow_dispatch:
 
 jobs:
   CodeQL:
diff --git a/.github/workflows/trigger_builds.yml b/.github/workflows/trigger_builds.yml
index 9efafc8cc..e4c90ef0b 100644
--- a/.github/workflows/trigger_builds.yml
+++ b/.github/workflows/trigger_builds.yml
@@ -4,21 +4,39 @@ on:
   push:
     branches-ignore:
       - "renovate/**"
-    paths-ignore:
-      - "**.md"
-      - "**/LICENSE"
-      - "flake.lock"
-      - "packages/**"
-      - ".github/ISSUE_TEMPLATE/**"
-      - ".markdownlint**"
+    # NOTE: `!` doesn't work with `paths-ignore` :(
+    # So we a catch-all glob instead
+    # https://github.com/orgs/community/discussions/25369#discussioncomment-3247674
+    paths:
+      - "**"
+      - "!.github/**"
+      - ".github/workflows/build.yml"
+      - ".github/workflows/trigger_builds.yml"
+      - "!flatpak/"
+      - "!nix/"
+      - "!scripts/"
+
+      - "!.git*"
+      - "!.envrc"
+      - "!**.md"
+      - "COPYING.md"
+      - "!renovate.json"
   pull_request:
-    paths-ignore:
-      - "**.md"
-      - "**/LICENSE"
-      - "flake.lock"
-      - "packages/**"
-      - ".github/ISSUE_TEMPLATE/**"
-      - ".markdownlint**"
+    # See above
+    paths:
+      - "**"
+      - "!.github/**"
+      - ".github/workflows/build.yml"
+      - ".github/workflows/trigger_builds.yml"
+      - "!flatpak/"
+      - "!nix/"
+      - "!scripts/"
+
+      - "!.git*"
+      - "!.envrc"
+      - "!**.md"
+      - "COPYING.md"
+      - "!renovate.json"
   workflow_dispatch:
 
 jobs: