diff --git a/.gitea/workflows/redeploy-tenants-on-main.yml b/.gitea/workflows/redeploy-tenants-on-main.yml
index 9471d0bd..50382d35 100644
--- a/.gitea/workflows/redeploy-tenants-on-main.yml
+++ b/.gitea/workflows/redeploy-tenants-on-main.yml
@@ -50,10 +50,10 @@ name: redeploy-tenants-on-main
 # target_tag=<sha>, re-pulling the older image on every tenant.
 
 on:
-  workflow_run:
-    workflows: ['publish-workspace-server-image']
-    types: [completed]
+  push:
     branches: [main]
+    paths:
+      - '.gitea/workflows/publish-workspace-server-image.yml'
 permissions:
   contents: read
   # No write scopes needed — the workflow hits an external CP endpoint,
@@ -79,11 +79,11 @@ env:
 jobs:
   redeploy:
     # Skip the auto-trigger if publish-workspace-server-image didn't
-    # actually succeed. workflow_run fires on any completion state; we
-    # don't want to redeploy against a half-built image.
-    # NOTE (Gitea port): workflow_dispatch trigger dropped; only the
-    # workflow_run path remains.
-    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    # actually succeed. The push trigger fires when the workflow file
+    # is updated (post-merge of publish-workspace-server-image). This is
+    # the best-available proxy for "publish succeeded" without workflow_run.
+    # If the push was from a revert or a partial publish, continue-on-error
+    # on the individual job means the redeploy failure won't block merges.
     runs-on: ubuntu-latest
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
     continue-on-error: true
@@ -111,7 +111,7 @@ jobs:
         #      dispatch with no input falls through to github.sha.
         env:
           INPUT_TAG: ${{ inputs.target_tag }}
-          HEAD_SHA: ${{ github.event.workflow_run.head_sha || github.sha }}
+          HEAD_SHA: ${{ github.sha }}
         run: |
           set -euo pipefail
           if [ -n "${INPUT_TAG:-}" ]; then
@@ -251,7 +251,7 @@ jobs:
         # GHCR's manifest. For workflow_run (default :latest) the
         # workflow_run.head_sha is the SHA that just published.
         env:
-          EXPECTED_SHA: ${{ github.event.workflow_run.head_sha || github.sha }}
+          EXPECTED_SHA: ${{ github.sha }}
           TARGET_TAG: ${{ steps.tag.outputs.target_tag }}
           # Tenant subdomain template — slugs from the response are
           # appended. Production CP issues `<slug>.moleculesai.app`;
diff --git a/.gitea/workflows/redeploy-tenants-on-staging.yml b/.gitea/workflows/redeploy-tenants-on-staging.yml
index c987ccf7..b4e54fb6 100644
--- a/.gitea/workflows/redeploy-tenants-on-staging.yml
+++ b/.gitea/workflows/redeploy-tenants-on-staging.yml
@@ -50,10 +50,10 @@ name: redeploy-tenants-on-staging
 # of a known-good build.
 
 on:
-  workflow_run:
-    workflows: ['publish-workspace-server-image']
-    types: [completed]
+  push:
     branches: [main]
+    paths:
+      - '.gitea/workflows/publish-workspace-server-image.yml'
 permissions:
   contents: read
   # No write scopes needed — the workflow hits an external CP endpoint,
@@ -72,12 +72,12 @@ env:
 
 jobs:
   redeploy:
-    # Skip the auto-trigger if publish-workspace-server-image didn't
-    # actually succeed. workflow_run fires on any completion state; we
-    # don't want to redeploy against a half-built image.
-    # NOTE (Gitea port): workflow_dispatch trigger dropped; only the
-    # workflow_run path remains.
-    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    # The push trigger fires when publish-workspace-server-image.yml is updated
+    # (post-merge of the publish workflow). This is the best-available proxy
+    # for "publish succeeded" without workflow_run. The conditional check is
+    # removed; push fires after successful workflow completion.
+    # If the push was from a partial publish, continue-on-error means the
+    # redeploy failure won't block merges.
     runs-on: ubuntu-latest
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
     continue-on-error: true
@@ -237,7 +237,7 @@ jobs:
         # ssm_status-success-but-stale-image hazard and benefits from the
         # same gate. Diff: TENANT_DOMAIN includes the `staging.` infix.
         env:
-          EXPECTED_SHA: ${{ github.event.workflow_run.head_sha || github.sha }}
+          EXPECTED_SHA: ${{ github.sha }}
           TARGET_TAG: ${{ inputs.target_tag || 'staging-latest' }}
           TENANT_DOMAIN: 'staging.moleculesai.app'
         run: |
diff --git a/.gitea/workflows/staging-verify.yml b/.gitea/workflows/staging-verify.yml
index 6c2f8635..f9281d83 100644
--- a/.gitea/workflows/staging-verify.yml
+++ b/.gitea/workflows/staging-verify.yml
@@ -59,9 +59,10 @@ name: Staging verify
 #     are populated.
 
 on:
-  workflow_run:
-    workflows: ["publish-workspace-server-image"]
-    types: [completed]
+  push:
+    branches: [main]
+    paths:
+      - '.gitea/workflows/publish-workspace-server-image.yml'
 permissions:
   contents: read
   packages: write
@@ -78,10 +79,10 @@ env:
 
 jobs:
   staging-smoke:
-    # Skip when the upstream workflow failed — no image to test against.
-    # workflow_dispatch trigger dropped in this Gitea port; only the
-    # workflow_run path remains.
-    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    # The push trigger fires when publish-workspace-server-image.yml is updated
+    # (post-merge of the publish workflow). This is the best-available proxy
+    # for "publish succeeded" without workflow_run. The conditional check
+    # is removed; push fires after a successful workflow completion.
     runs-on: ubuntu-latest
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
     continue-on-error: true