diff --git a/.github/workflows/audit.yaml b/.github/workflows/audit.yaml
index 3cf3230c..28aa6d36 100644
--- a/.github/workflows/audit.yaml
+++ b/.github/workflows/audit.yaml
@@ -55,10 +55,10 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GOPASS_CI_GITHUB_TOKEN }}
       - name: Debug Snyk audit
         run: ~/.venv/bin/c2cciutils-audit --branch=${{ matrix.branch }} || true
-        if: failure()
         env:
           GITHUB_TOKEN: ${{ secrets.GOPASS_CI_GITHUB_TOKEN }}
           DEBUG: '*snyk*'
+        if: failure()
       - name: Check ci/dpkg-versions.yaml file existence
         id: dpkg-versions
         uses: andstor/file-existence-action@v2
@@ -66,6 +66,6 @@ jobs:
           files: ci/dpkg-versions.yaml
       - name: Update dpkg packages versions
         run: ~/.venv/bin/c2cciutils-docker-versions-update --branch=${{ matrix.branch }}
-        if: steps.dpkg-versions.outputs.files_exists == 'true'
         env:
           GITHUB_TOKEN: ${{ secrets.GOPASS_CI_GITHUB_TOKEN }}
+        if: steps.dpkg-versions.outputs.files_exists == 'true'
diff --git a/.github/workflows/changelog.yaml b/.github/workflows/changelog.yaml
index cfd5cc44..3858002b 100644
--- a/.github/workflows/changelog.yaml
+++ b/.github/workflows/changelog.yaml
@@ -21,10 +21,10 @@ jobs:
           if [[ ${{ github.ref_name }} =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
             gh release create ${{ github.ref_name }} --generate-notes || true
           fi
-        if: github.event_name == 'push' && github.ref_type == 'tag'
         env:
           GH_TOKEN: ${{ secrets.GOPASS_CI_GITHUB_TOKEN }}
 
+        if: github.event_name == 'push' && github.ref_type == 'tag'
       - name: Get Date
         id: get-date
         run: echo "date=$(/bin/date -u "+%Y%m%d%H%M%S")" >> $GITHUB_OUTPUT
diff --git a/.github/workflows/delete-old-workflow-run.yaml b/.github/workflows/delete-old-workflow-run.yaml
deleted file mode 100644
index 76f7117a..00000000
--- a/.github/workflows/delete-old-workflow-run.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-name: Delete old workflow runs
-
-on:
-  schedule:
-    - cron: '0 0 * * *'
-
-env:
-  HAS_SECRETS: ${{ secrets.HAS_SECRETS }}
-
-jobs:
-  build:
-    name: Delete old workflow runs
-    runs-on: ubuntu-22.04
-    timeout-minutes: 25
-
-    steps:
-      - name: Delete old workflow runs
-        uses: MajorScruffy/delete-old-workflow-runs@v0.3.0
-        with:
-          repository: ${{ github.repository }}
-          older-than-seconds: 43200000 # 500 days
-        env:
-          GITHUB_TOKEN: ${{ secrets.GOPASS_CI_GITHUB_TOKEN }}
diff --git a/.github/workflows/delete-old-workflows-run.yaml b/.github/workflows/delete-old-workflows-run.yaml
index ca093a38..c43ef486 100644
--- a/.github/workflows/delete-old-workflows-run.yaml
+++ b/.github/workflows/delete-old-workflows-run.yaml
@@ -9,9 +9,9 @@ env:
 
 jobs:
   build:
+    name: Delete old workflow runs
     runs-on: ubuntu-22.04
     timeout-minutes: 25
-    name: Delete old workflow runs
 
     steps:
       - name: Delete old workflow runs
diff --git a/.github/workflows/pr-checks.yaml b/.github/workflows/pr-checks.yaml
index 53847921..b3e991a2 100644
--- a/.github/workflows/pr-checks.yaml
+++ b/.github/workflows/pr-checks.yaml
@@ -5,8 +5,6 @@ on:
     types:
       - opened
       - reopened
-      - labeled
-      - unlabeled
       - edited
       - synchronize
 
diff --git a/.github/workflows/dependency-auto-review.yaml b/.github/workflows/pull-request-automation.yaml
similarity index 52%
rename from .github/workflows/dependency-auto-review.yaml
rename to .github/workflows/pull-request-automation.yaml
index b2ce8a93..d9d9e860 100644
--- a/.github/workflows/dependency-auto-review.yaml
+++ b/.github/workflows/pull-request-automation.yaml
@@ -5,6 +5,10 @@ on:
     types:
       - opened
       - reopened
+      - closed
+  pull_request_target:
+    types:
+      - closed
 
 jobs:
   auto-merge:
@@ -13,7 +17,17 @@ jobs:
     timeout-minutes: 5
 
     steps:
-      - uses: actions/github-script@v7
+      - name: Print event
+        run: echo "${GITHUB}" | jq
+        env:
+          GITHUB: ${{ toJson(github) }}
+      - name: Print context
+        uses: actions/github-script@v7
+        with:
+          script: |-
+            console.log(context);
+      - name: Auto reviews Renovate updates
+        uses: actions/github-script@v7
         with:
           script: |-
             github.rest.pulls.createReview({
@@ -22,11 +36,12 @@ jobs:
               pull_number: context.payload.pull_request.number,
               event: 'APPROVE',
             })
-        name: Auto reviews Renovate updates
-        if: github.event.pull_request.user.login == 'renovate[bot]'
+        if: |-
+          github.event.pull_request.user.login == 'renovate[bot]'
+          && (github.event.action == 'opened'
+            || github.event.action == 'reopened')
       - name: Auto review and merge dpkg updates
         uses: actions/github-script@v7
-        if: github.event.pull_request.user.login == 'c2c-bot-gis-ci' && startsWith(github.head_ref, 'dpkg-update/')
         with:
           script: |-
             github.rest.pulls.createReview({
@@ -49,9 +64,13 @@ jobs:
                 }
               }
             `)
+        if: |-
+          github.event.pull_request.user.login == 'c2c-bot-gis-ci'
+          && startsWith(github.head_ref, 'dpkg-update/')
+          && (github.event.action == 'opened'
+            || github.event.action == 'reopened')
       - name: Auto review and merge snyk auto fix
         uses: actions/github-script@v7
-        if: github.event.pull_request.user.login == 'c2c-bot-gis-ci' && startsWith(github.head_ref, 'snyk-fix/')
         with:
           script: |-
             github.rest.pulls.createReview({
@@ -74,9 +93,38 @@ jobs:
                 }
               }
             `)
+        if: |-
+          github.event.pull_request.user.login == 'c2c-bot-gis-ci'
+          && startsWith(github.head_ref, 'snyk-fix/')
+          && (github.event.action == 'opened'
+            || github.event.action == 'reopened')
+      - name: Restart audit workflow
+        uses: actions/github-script@v7
+        with:
+          script: |-
+            let runs = await github.rest.actions.listWorkflowRuns({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              workflow_id: 'audit.yaml',
+              per_page: 1,
+            });
+            runs = runs.data.workflow_runs;
+            if (runs.length == 1 && runs[0].status != 'success') {
+              console.log(`Rerun workflow ${runs[0].id} ${runs[0].status}`);
+              github.rest.actions.reRunWorkflowFailedJobs({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                run_id: runs[0].id,
+              });
+            }
+        if: |-
+          github.event.pull_request.user.login == 'c2c-bot-gis-ci'
+          && (startsWith(github.head_ref, 'snyk-fix/')
+            || startsWith(github.head_ref, 'dpkg-update/'))
+          && github.event.action == 'closed'
+          && github.event.pull_request.merged == true
       - name: Auto close pre-commit.ci autoupdate
         uses: actions/github-script@v7
-        if: github.event.pull_request.user.login == 'pre-commit-ci'
         with:
           script: |-
             github.rest.pulls.update({
@@ -85,3 +133,7 @@ jobs:
               pull_number: context.payload.pull_request.number,
               state: 'closed',
             });
+        if: |-
+          github.event.pull_request.user.login == 'pre-commit-ci'
+          && (github.event.action == 'opened'
+            || github.event.action == 'reopened')