diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 5f2814cb21f3489342db92d7320446b4c536da3c..fc5f192609239299b6a141208cb3d33a77d941b2 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,4 +1,31 @@
+workflow:
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'web'
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+    - if: $CI_PIPELINE_SOURCE == 'parent_pipeline'
+    - if: $CI_COMMIT_TAG
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+
 include:
+  # Runs on dev-profile/main in default branch, when merging to the default
+  # branch, and in "tag pipelines".
+  - project: bob/dev-profile
+    ref: main
+    file: gitlab/python.yml
+    rules:
+      - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+      - if: $CI_COMMIT_TAG
+      - if: $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == $CI_DEFAULT_BRANCH
+  # Runs on dev-profile/develop in other branches (only when manually triggered)
+  # This is useful when trying new dependency pins in dev-profile/develop.
   - project: bob/dev-profile
     ref: develop
     file: gitlab/python.yml
+    rules:
+      - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+        when: never
+      - if: $CI_COMMIT_TAG
+        when: never
+      - if: $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == $CI_DEFAULT_BRANCH
+        when: never
+      - when: always