docs: update changelog for duplicate-run prevention

.gitea/workflows/push-validation.yml

@@ -3,7 +3,7 @@ name: Push Validation
 on:
   push:
     branches:
-      - "**"
+      - "main"
     tags-ignore:
       - "*"
 

CHANGELOG.md

@@ -31,6 +31,7 @@ A `### Breaking` section is used in addition to Keep a Changelog's standard sect
 - Gosec compliance updated for intentional command execution paths: `Open()` now documents both `G702` and `G204` suppression rationale, and fixed-`git` helper invocations include explicit `G204` justifications.
 - PR validation badge upload now runs only when `coverage.out` exists, preventing downstream badge artefact failures while still allowing PR decoration to run on failed jobs.
 - PR validation now keys coverage badge upload off the coverage step outcome and performs changelog gate validation in a native workflow step; decorate-pr changelog gating is disabled to bypass the broken internal extractor action.
+- Push validation now triggers only on `main` pushes to avoid duplicate CI runs for branches that already execute PR validation.
 - README badge link target updated to `actions/runs/latest?workflow=...` format per workflow standards.
 - CI security scanning now uses GitHub Marketplace actions (`securego/gosec` and `golang/govulncheck-action`) instead of manual tool installation, improving reliability and caching.
 - CI setup compatibility fix: gosec scanner now references the correct public action source (`securego/gosec`), resolving action clone failures in Gitea runners.