diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 17418c0079..1133d2dbbd 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -120,7 +120,7 @@ jobs:
 
   # Build dist once for Node-relevant changes and share it with downstream jobs.
   build-artifacts:
-    needs: [docs-scope, changed-scope]
+    needs: [docs-scope, changed-scope, code-size]
     if: needs.docs-scope.outputs.docs_only != 'true' && (github.event_name == 'push' || needs.changed-scope.outputs.run_node == 'true')
     runs-on: blacksmith-4vcpu-ubuntu-2404
     steps:
@@ -184,7 +184,7 @@ jobs:
           retention-days: 1
 
   install-check:
-    needs: [docs-scope, changed-scope]
+    needs: [docs-scope, changed-scope, code-size]
     if: needs.docs-scope.outputs.docs_only != 'true' && (github.event_name == 'push' || needs.changed-scope.outputs.run_node == 'true')
     runs-on: blacksmith-4vcpu-ubuntu-2404
     steps:
@@ -238,7 +238,7 @@ jobs:
           pnpm install --frozen-lockfile --ignore-scripts=false --config.engine-strict=false --config.enable-pre-post-scripts=true
 
   checks:
-    needs: [docs-scope, changed-scope]
+    needs: [docs-scope, changed-scope, code-size]
     if: needs.docs-scope.outputs.docs_only != 'true' && (github.event_name == 'push' || needs.changed-scope.outputs.run_node == 'true')
     runs-on: blacksmith-4vcpu-ubuntu-2404
     strategy:
@@ -387,29 +387,35 @@ jobs:
         run: ${{ matrix.command }}
 
   # Check for files that grew past LOC threshold in this PR (delta-only).
+  # On push events, all steps are skipped and the job passes (no-op).
+  # Heavy downstream jobs depend on this to fail fast on violations.
   code-size:
-    if: github.event_name == 'pull_request'
     runs-on: blacksmith-4vcpu-ubuntu-2404
     steps:
       - name: Checkout
+        if: github.event_name == 'pull_request'
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
           submodules: false
 
       - name: Setup Python
+        if: github.event_name == 'pull_request'
         uses: actions/setup-python@v5
         with:
           python-version: "3.12"
 
       - name: Fetch base branch
+        if: github.event_name == 'pull_request'
         run: git fetch origin ${{ github.base_ref }}:refs/remotes/origin/${{ github.base_ref }}
 
       - name: Check code file sizes
+        if: github.event_name == 'pull_request'
         run: |
           python scripts/analyze_code_files.py \
             --compare-to origin/${{ github.base_ref }} \
-            --threshold 1000
+            --threshold 1000 \
+            --strict
 
   secrets:
     runs-on: blacksmith-4vcpu-ubuntu-2404
@@ -437,7 +443,7 @@ jobs:
           fi
 
   checks-windows:
-    needs: [docs-scope, changed-scope, build-artifacts]
+    needs: [docs-scope, changed-scope, build-artifacts, code-size]
     if: needs.docs-scope.outputs.docs_only != 'true' && (github.event_name == 'push' || needs.changed-scope.outputs.run_node == 'true')
     runs-on: blacksmith-4vcpu-windows-2025
     env:
@@ -558,7 +564,7 @@ jobs:
   # running 4 separate jobs per PR (as before) starved the queue. One job
   # per PR allows 5 PRs to run macOS checks simultaneously.
   macos:
-    needs: [docs-scope, changed-scope]
+    needs: [docs-scope, changed-scope, code-size]
     if: github.event_name == 'pull_request' && needs.docs-scope.outputs.docs_only != 'true' && needs.changed-scope.outputs.run_macos == 'true'
     runs-on: macos-latest
     steps:
@@ -836,7 +842,7 @@ jobs:
           PY
 
   android:
-    needs: [docs-scope, changed-scope]
+    needs: [docs-scope, changed-scope, code-size]
     if: needs.docs-scope.outputs.docs_only != 'true' && (github.event_name == 'push' || needs.changed-scope.outputs.run_android == 'true')
     runs-on: blacksmith-4vcpu-ubuntu-2404
     strategy: