PYTHON-5047 Clean up workflow triggers

.github/workflows/codeql-actions.yml

@@ -7,12 +7,14 @@ on:
   pull_request:
     paths:
       - .github/workflows/*.yml
+  workflow_dispatch:
   schedule:
     - cron: '17 10 * * 2'
 
 jobs:
   analyze-python:
     name: Analyze GitHub Actions
+    if: github.repository_owner == 'mongodb' || github.event_name == 'workflow_dispatch'
     runs-on: "ubuntu-latest"
     timeout-minutes: 360
     permissions:

.github/workflows/codeql-python.yml

@@ -11,6 +11,7 @@ on:
       - .github/workflows/*python.yml
   schedule:
     - cron: '17 10 * * 2'
+  workflow_dispatch:
   workflow_call:
     inputs:
       ref:
@@ -20,6 +21,7 @@ on:
 jobs:
   analyze-python:
     name: Analyze Python
+    if: github.repository_owner == 'mongodb' || (github.event_name == 'workflow_dispatch' || github.event_name == 'workflow_call')
     runs-on: "macos-latest"
     timeout-minutes: 360
     permissions:

.github/workflows/dist-python.yml

@@ -15,9 +15,6 @@
   workflow_dispatch:
   workflow_call:
     inputs:
-      force:
-        required: true
-        type: boolean
       ref:
         required: true
         type: string
@@ -33,41 +30,41 @@
 
 jobs:
   build_dist:
-    if: github.repository_owner == 'mongodb' || inputs.force == true
+    if: github.repository_owner == 'mongodb' || (github.event_name == 'workflow_dispatch' || github.event_name == 'workflow_call')
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
         os: [ubuntu-latest, windows-latest, macos-latest]
       fail-fast: false
 
     steps:  
       - name: Checkout libmongocrypt
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
           ref: ${{ inputs.ref }}
           persist-credentials: false
 
       - uses: actions/setup-python@v5
         with:
           python-version: 3.8
           cache: 'pip'
           cache-dependency-path: 'bindings/python/pyproject.toml'
           allow-prereleases: true
 
       - name: Build and test dist files
         run: |
           export LIBMONGOCRYPT_VERSION=$(cat ./libmongocrypt-version.txt)
           git fetch origin $LIBMONGOCRYPT_VERSION
           bash ./release.sh
 
       - uses: actions/upload-artifact@v4
         with:
           name: dist-${{ matrix.os }}
           path: ./bindings/python/dist/*.*
           if-no-files-found: error
 
   collect_dist:
     runs-on: ubuntu-latest
     needs: [build_dist]
     name: Collect dist files

.github/workflows/release-python.yml

@@ -35,6 +35,7 @@ defaults:
 jobs:
   pre-publish:
     environment: release-python
+    if: github.repository_owner == 'mongodb' || github.event_name == 'workflow_dispatch'
     runs-on: ubuntu-latest
     permissions:
       id-token: write
@@ -65,7 +66,6 @@ jobs:
     needs: [pre-publish]
     uses: ./.github/workflows/dist-python.yml
     with:
-      force: true
       ref: ${{ needs.pre-publish.outputs.version }}
 
   static-scan:

.github/workflows/zizmor.yml

@@ -9,6 +9,7 @@ on:
 jobs:
   zizmor:
     name: zizmor latest via Cargo
+    if: github.repository_owner == 'mongodb'
     runs-on: ubuntu-latest
     permissions:
       security-events: write