diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9a4edbf..3e9240c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -162,17 +162,41 @@ jobs:
             echo "CHANGELOG.md is up to date."
           fi
 
+  forbid-artifacts:
+    name: Forbid artifacts
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Fail if forbidden paths are tracked
+        run: |
+          set -euo pipefail
+          if git ls-files | grep -qE '(\.ssh/|\.db($|-)|.*\.sqlite|.*\.log$)'; then
+            echo "ERROR: forbidden files are tracked:"
+            git ls-files | grep -E '(\.ssh/|\.db($|-)|.*\.sqlite|.*\.log$)' || true
+            exit 1
+          fi
+      - name: Fail if history contains forbidden blobs
+        run: |
+          set -euo pipefail
+          if git rev-list --objects --all | grep -qE '(\.ssh/|.*\.db($|-)|.*\.sqlite|.*\.log$)'; then
+            echo "ERROR: forbidden artifacts exist in history:"
+            git rev-list --objects --all | grep -E '(\.ssh/|.*\.db($|-)|.*\.sqlite|.*\.log$)' || true
+            exit 1
+          fi
   gate:
     name: CI Gate
     runs-on: ubuntu-latest
-    needs: [test, lint, package]
+    needs: [test, lint, package, forbid-artifacts]
     if: always()
     steps:
       - name: All required checks passed
         run: |
-          if [[ "${{ needs.test.result }}"    != "success" ]] ||
-             [[ "${{ needs.lint.result }}"    != "success" ]] ||
-             [[ "${{ needs.package.result }}" != "success" ]]; then
+          if [[ "${{ needs.test.result }}"             != "success" ]] ||
+             [[ "${{ needs.lint.result }}"             != "success" ]] ||
+             [[ "${{ needs.package.result }}"          != "success" ]] ||
+             [[ "${{ needs.forbid-artifacts.result }}" != "success" ]]; then
             echo "::error::One or more required checks failed — merge blocked."
             exit 1
           fi
diff --git a/.github/workflows/repo-safety.yml b/.github/workflows/repo-safety.yml
deleted file mode 100644
index e0370a4..0000000
--- a/.github/workflows/repo-safety.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-name: repo-safety
-on:
-  push:
-  pull_request:
-
-jobs:
-  forbid-artifacts:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Fail if forbidden paths are tracked
-        run: |
-          set -euo pipefail
-          echo "Checking tracked files..."
-          if git ls-files | egrep -q '(^\.ssh/|\.db($|-)|\.sqlite|\.log$)'; then
-            echo "ERROR: forbidden files are tracked:"
-            git ls-files | egrep '(^\.ssh/|\.db($|-)|\.sqlite|\.log$)' || true
-            exit 1
-          fi
-
-      - name: Fail if history contains forbidden blobs
-        run: |
-          set -euo pipefail
-          echo "Checking full history objects..."
-          if git rev-list --objects --all | egrep -q '(^|/)(\.ssh/|.*\.db($|-)|.*\.sqlite|.*\.log$)'; then
-            echo "ERROR: forbidden artifacts exist in history:"
-            git rev-list --objects --all | egrep '(^|/)(\.ssh/|.*\.db($|-)|.*\.sqlite|.*\.log$)' || true
-            exit 1
-          fi