diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 8d418d258cbe6a6a4b5392e7c3c1d83fbd70d6c8..b8ba17ff0eeaa5519899cb58bdb3b477c9729131 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -23,9 +23,7 @@ default:
     - 1cpu-4gb # default small, configure more explicitly on specific jobs
   before_script:
     - set -e
-    # env -0 | sort -z | tr '\0' '\n': Sort env output alphabetically, keeping multiline variables intact
-    # egrep: Remove sensitive information from the output of env
-    #- env -0 | sort -z | tr '\0' '\n' | egrep -ve '^(DOCKER_AUTH_CONFIG|GOOGLE_APPLICATION_CREDENTIALS)=.*'
+    # DANGER don't use `set -x` or print the environment via e.g. `env` in pipeline runs, this might leak credentials (has leaked them)
 
 stages:
   - prepare
diff --git a/.gitlab/ci/deploy.yml b/.gitlab/ci/deploy.yml
index cbb5c9e3bf62eaa4862d595439b2b87366f98130..8eaa42a9bb49c1df97e412e6af2ea07487b331c2 100644
--- a/.gitlab/ci/deploy.yml
+++ b/.gitlab/ci/deploy.yml
@@ -82,8 +82,9 @@ deploy:staging:infra:
   environment:
     name: staging
     url: https://staging.moderation.holi.social
-  only:
-    - main
+  rules:
+    - if: $CI_COMMIT_BRANCH == "main"
+      when: on_success
 
 ###
 # PRODUCTION
@@ -94,5 +95,6 @@ deploy:production:infra:
   environment:
     name: production
     url: https://moderation.holi.social
-  only:
-    - production
\ No newline at end of file
+  rules:
+    - if: $CI_COMMIT_BRANCH == "production"
+      when: on_success
diff --git a/.gitlab/ci/prepare.yml b/.gitlab/ci/prepare.yml
index 74df4b04380d156dd8977bd123f192fa9fc07f3e..b9ee33851e459727693609ec21fc8a9d024491fd 100644
--- a/.gitlab/ci/prepare.yml
+++ b/.gitlab/ci/prepare.yml
@@ -6,8 +6,10 @@ apps:prepare:
     - corepack enable
     - corepack yarn install --immutable
   rules:
-    # Execute step if yarn.lock was changed or cache is missing
-    # Inspired by https://gitlab.com/gitlab-org/gitlab/-/issues/244932#note_1727726890
+    # always run when triggered manually
+    - if: $CI_COMMIT_BRANCH && $CI_PIPELINE_SOURCE == "web"
+      when: on_success
+    # only run on specific file changes when triggered by git push
     - if: $CI_COMMIT_BRANCH
       changes: 
       - yarn.lock
diff --git a/.terraform-version b/.terraform-version
index 1cac385c6cb864bab53f6846e112f5a93fd17401..ca7176690dd6f501842f3ef4b70bb32118edb489 100644
--- a/.terraform-version
+++ b/.terraform-version
@@ -1 +1 @@
-1.11.0
+1.11.2