diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 9f18ce63..39ec8223 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -262,18 +262,21 @@ lint_format_bandit_checks:
 # so important to scan that kind of install in CI.
 # https://docs.safetycli.com/safety-docs/installation/gitlab
 safety:
-  only:
-    changes:
-      - .gitlab-ci.yml
-      - .safety-policy.yml
-      - pyproject.toml
-      - setup.py
   image: debian:bookworm-slim
+  rules:
+    # once only:/changes: are ported to rules:, this could be removed:
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "push" && $SAFETY_API_KEY
+      changes:
+        - .gitlab-ci.yml
+        - .safety-policy.yml
+        - pyproject.toml
+        - setup.py
   <<: *apt-template
   variables:
     LANG: C.UTF-8
   script:
-    - test -n "$SAFETY_API_KEY" || exit 0
     - apt-get install
         fdroidserver
         python3-biplist
diff --git a/.safety-policy.yml b/.safety-policy.yml
index cba25ff0..ea44e7e6 100644
--- a/.safety-policy.yml
+++ b/.safety-policy.yml
@@ -39,7 +39,7 @@ report:
           reason: We get these packages from Debian, zipp is not used in production, and its only a DoS.
           expires: '2026-08-31'
         72236:
-          reason: setuptools comes from Debian
+          reason: setuptools is not used in production to download or install packages, they come from Debian.
           expires: '2026-08-31'
 
 fail-scan-with-exit-code: