diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index e3243097d..a5ac537f1 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -1,6 +1,39 @@
 name: "CodeQL Code Scanning"
 
-on: [push, pull_request, workflow_dispatch]
+on:
+  push:
+    # NOTE: `!` doesn't work with `paths-ignore` :(
+    # So we a catch-all glob instead
+    # https://github.com/orgs/community/discussions/25369#discussioncomment-3247674
+    paths:
+      - "**"
+      - "!.github/**"
+      - ".github/workflows/codeql.yml"
+      - "!flatpak/"
+      - "!nix/"
+      - "!scripts/"
+
+      - "!.git*"
+      - "!.envrc"
+      - "!**.md"
+      - "COPYING.md"
+      - "!renovate.json"
+  pull_request:
+    # See above
+    paths:
+      - "**"
+      - "!.github/**"
+      - ".github/workflows/codeql.yml"
+      - "!flatpak/"
+      - "!nix/"
+      - "!scripts/"
+
+      - "!.git*"
+      - "!.envrc"
+      - "!**.md"
+      - "COPYING.md"
+      - "!renovate.json"
+  workflow_dispatch:
 
 jobs:
   CodeQL:
diff --git a/.github/workflows/flatpak.yml b/.github/workflows/flatpak.yml
index 41cc2a51d..8caba46fa 100644
--- a/.github/workflows/flatpak.yml
+++ b/.github/workflows/flatpak.yml
@@ -2,22 +2,38 @@ name: Flatpak
 
 on:
   push:
-    paths-ignore:
-      - "**.md"
-      - "**/LICENSE"
-      - ".github/ISSUE_TEMPLATE/**"
-      - ".markdownlint**"
-      - "nix/**"
     # We don't do anything with these artifacts on releases. They go to Flathub
     tags-ignore:
       - "*"
+    # NOTE: `!` doesn't work with `paths-ignore` :(
+    # So we a catch-all glob instead
+    # https://github.com/orgs/community/discussions/25369#discussioncomment-3247674
+    paths:
+      - "**"
+      - "!.github/**"
+      - ".github/workflows/flatpak.yml"
+      - "!nix/"
+      - "!scripts/"
+
+      - "!.git*"
+      - "!.envrc"
+      - "!**.md"
+      - "COPYING.md"
+      - "!renovate.json"
   pull_request:
-    paths-ignore:
-      - "**.md"
-      - "**/LICENSE"
-      - ".github/ISSUE_TEMPLATE/**"
-      - ".markdownlint**"
-      - "nix/**"
+    # See above
+    paths:
+      - "**"
+      - "!.github/**"
+      - ".github/workflows/flatpak.yml"
+      - "!nix/"
+      - "!scripts/"
+
+      - "!.git*"
+      - "!.envrc"
+      - "!**.md"
+      - "COPYING.md"
+      - "!renovate.json"
   workflow_dispatch:
 
 permissions:
diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml
index 816e2a7aa..b968062c9 100644
--- a/.github/workflows/nix.yml
+++ b/.github/workflows/nix.yml
@@ -4,28 +4,34 @@ on:
   push:
     tags:
       - "*"
-    paths-ignore:
-      - ".github/**"
-      - "!.github/workflows/nix.yml"
-      - "flatpak/"
-      - "scripts/"
+    # NOTE: `!` doesn't work with `paths-ignore` :(
+    # So we a catch-all glob instead
+    # https://github.com/orgs/community/discussions/25369#discussioncomment-3247674
+    paths:
+      - "**"
+      - "!.github/**"
+      - ".github/workflows/nix.yml"
+      - "!flatpak/"
+      - "!scripts/"
 
-      - ".git*"
-      - ".envrc"
-      - "**.md"
-      - "!COPYING.md"
-      - "renovate.json"
+      - "!.git*"
+      - "!.envrc"
+      - "!**.md"
+      - "COPYING.md"
+      - "!renovate.json"
   pull_request_target:
-    paths-ignore:
-      - ".github/**"
-      - "flatpak/"
-      - "scripts/"
+    paths:
+      - "**"
+      - "!.github/**"
+      - ".github/workflows/nix.yml"
+      - "!flatpak/"
+      - "!scripts/"
 
-      - ".git*"
-      - ".envrc"
-      - "**.md"
-      - "!COPYING.md"
-      - "renovate.json"
+      - "!.git*"
+      - "!.envrc"
+      - "!**.md"
+      - "COPYING.md"
+      - "!renovate.json"
   workflow_dispatch:
 
 permissions:
diff --git a/.github/workflows/trigger_builds.yml b/.github/workflows/trigger_builds.yml
index 9efafc8cc..e4c90ef0b 100644
--- a/.github/workflows/trigger_builds.yml
+++ b/.github/workflows/trigger_builds.yml
@@ -4,21 +4,39 @@ on:
   push:
     branches-ignore:
       - "renovate/**"
-    paths-ignore:
-      - "**.md"
-      - "**/LICENSE"
-      - "flake.lock"
-      - "packages/**"
-      - ".github/ISSUE_TEMPLATE/**"
-      - ".markdownlint**"
+    # NOTE: `!` doesn't work with `paths-ignore` :(
+    # So we a catch-all glob instead
+    # https://github.com/orgs/community/discussions/25369#discussioncomment-3247674
+    paths:
+      - "**"
+      - "!.github/**"
+      - ".github/workflows/build.yml"
+      - ".github/workflows/trigger_builds.yml"
+      - "!flatpak/"
+      - "!nix/"
+      - "!scripts/"
+
+      - "!.git*"
+      - "!.envrc"
+      - "!**.md"
+      - "COPYING.md"
+      - "!renovate.json"
   pull_request:
-    paths-ignore:
-      - "**.md"
-      - "**/LICENSE"
-      - "flake.lock"
-      - "packages/**"
-      - ".github/ISSUE_TEMPLATE/**"
-      - ".markdownlint**"
+    # See above
+    paths:
+      - "**"
+      - "!.github/**"
+      - ".github/workflows/build.yml"
+      - ".github/workflows/trigger_builds.yml"
+      - "!flatpak/"
+      - "!nix/"
+      - "!scripts/"
+
+      - "!.git*"
+      - "!.envrc"
+      - "!**.md"
+      - "COPYING.md"
+      - "!renovate.json"
   workflow_dispatch:
 
 jobs: