diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index e8f0b0e26a811d91d0031d77bb3584978587211e..51fe917b92606a8add4f9f31ebc5a48196ee8389 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,9 +1,7 @@
 default:
   before_script:
     - set -e
-    # env -0 | sort -z | tr '\0' '\n': Sort env output alphabetically, keeping multiline variables intact
-    # egrep: Remove sensitive information from the output of env
-    #- env -0 | sort -z | tr '\0' '\n' | egrep -ve '^(DOCKER_AUTH_CONFIG|GOOGLE_APPLICATION_CREDENTIALS)=.*'
+    # DANGER don't use `set -x` or print the environment via e.g. `env` in pipeline runs, this might leak credentials (has leaked them)
   interruptible: true
   tags:
     - 1cpu-4gb # build on smaller machine
@@ -156,14 +154,16 @@ staging_deploy:
     url: https://staging.geo.apis.holi.social
   variables:
     ENVIRONMENT_ID: staging
-  only:
-    - main
+  rules:
+    - if: $CI_COMMIT_BRANCH == "main"
+      when: on_success
 
 staging_smoketest:
   extends: .smoketest
   needs: ['staging_deploy']
-  only:
-    - main
+  rules:
+    - if: $CI_COMMIT_BRANCH == "main"
+      when: on_success
   resource_group: unified-api-staging
 
 staging_trigger_unified-api_redeployment:
@@ -174,8 +174,9 @@ staging_trigger_unified-api_redeployment:
     forward:
       yaml_variables: false
       pipeline_variables: false
-  only:
-    - main
+  rules:
+    - if: $CI_COMMIT_BRANCH == "main"
+      when: on_success
 
 ## production environment
 
@@ -189,14 +190,16 @@ production_deploy:
     url: https://production.geo.apis.holi.social
   variables:
     ENVIRONMENT_ID: production
-  only:
-    - production
+  rules:
+    - if: $CI_COMMIT_BRANCH == "production"
+      when: on_success
 
 production_smoketest:
   extends: .smoketest
   needs: ['production_deploy']
-  only:
-    - production
+  rules:
+    - if: $CI_COMMIT_BRANCH == "production"
+      when: on_success
 
 production_trigger_unified-api_redeployment:
   needs: ['production_smoketest']
@@ -206,6 +209,7 @@ production_trigger_unified-api_redeployment:
     forward:
       yaml_variables: false
       pipeline_variables: false
-  only:
-    - production
+  rules:
+    - if: $CI_COMMIT_BRANCH == "production"
+      when: on_success
   resource_group: unified-api-production
diff --git a/terraform/common/init.tf b/terraform/common/init.tf
index b21be3d206689718aa4b7ebb20554072e0e7a3d0..9aab59c8cdf1cec0f02450fc6d69afb14d0e4338 100644
--- a/terraform/common/init.tf
+++ b/terraform/common/init.tf
@@ -4,11 +4,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "6.24.0"
+      version = "6.25.0"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = "6.24.0"
+      version = "6.25.0"
     }
   }
   backend "gcs" {
diff --git a/terraform/environments/init.tf b/terraform/environments/init.tf
index 25abafa265671f10fd6add3766574c6ec6875f7a..1b4ff4b2951675636092432857329cd4651f553e 100644
--- a/terraform/environments/init.tf
+++ b/terraform/environments/init.tf
@@ -4,11 +4,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "6.24.0"
+      version = "6.25.0"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = "6.24.0"
+      version = "6.25.0"
     }
   }
   backend "gcs" {