diff --git a/.gitea/workflows/publish-runtime-autobump.yml b/.gitea/workflows/publish-runtime-autobump.yml
index f7ed5350..abb6b361 100644
--- a/.gitea/workflows/publish-runtime-autobump.yml
+++ b/.gitea/workflows/publish-runtime-autobump.yml
@@ -23,6 +23,13 @@ name: publish-runtime-autobump
 # and try to tag 0.1.130 simultaneously, only one of which would land.
 
 on:
+  # Run on PR pushes to validate the change (posts a success/failure status
+  # so Gitea can merge the PR). On a workspace-only edit PR the job exits
+  # early with "nothing to bump" — still posts success, which unblocks merge.
+  pull_request:
+    paths:
+      - "workspace/**"
+  # Bump-and-tag on main/staging push (the actual operational trigger).
   push:
     branches:
       - main
@@ -40,6 +47,17 @@ concurrency:
 jobs:
   autobump-and-tag:
     runs-on: ubuntu-latest
+    # continue-on-error: true — this job posts a commit status on every
+    # push to main/staging that touches workspace/. A non-zero exit from
+    # the PyPI lookup, DISPATCH_TOKEN check, or tag-push git command means
+    # "nothing to publish" or "platform infra is degraded" — NOT "the pushed
+    # code is broken." Without this flag, a missing DISPATCH_TOKEN or a
+    # pre-existing tag collision flips main's combined status to failure,
+    # trips the main-red-watchdog, and generates false-positive issues
+    # (#494, #504). The fail-loud path (required: true, no continue-on-error)
+    # is the publish-runtime.yml step — that one tests whether the runtime
+    # package actually builds and uploads; this one only tags.
+    continue-on-error: true
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -82,6 +100,11 @@ jobs:
           echo "version=$VERSION" >> "$GITHUB_OUTPUT"
 
       - name: Push runtime-v$VERSION tag
+        # Only push tags on trunk pushes (main/staging), not on PR push events.
+        # github.event.pull_request.base.ref is empty for push: events but set
+        # for pull_request: events. Guarding here prevents a PR branch from
+        # accidentally bumping the version and triggering publish-runtime.yml.
+        if: github.event.pull_request.base.ref == ''
         env:
           DISPATCH_TOKEN: ${{ secrets.DISPATCH_TOKEN }}
           VERSION: ${{ steps.bump.outputs.version }}