diff --git a/.github/workflows/build_and_test_eicar_rock.yaml b/.github/workflows/build_and_test_eicar_rock.yaml
index 1aa80c4..580519e 100644
--- a/.github/workflows/build_and_test_eicar_rock.yaml
+++ b/.github/workflows/build_and_test_eicar_rock.yaml
@@ -16,7 +16,6 @@ jobs:
   test:
     uses: canonical/oci-factory/.github/workflows/Test-Rock.yaml@main
     needs: [build]
-    continue-on-error: true # we expect malware scan to fail
     with:
       oci-archive-name: "eicar-rock"
       test-black-box: true
@@ -24,3 +23,12 @@ jobs:
       test-malware: true
       test-oci-compliance: true
       test-vulnerabilities: true
+
+  end:
+    # we expect malware scan to fail, so we add a final job so PR checks pass.
+    if: ${{ !cancelled() }}
+    needs: [test]
+    runs-on: ubuntu-22.04
+    steps:
+      - run: |
+          echo Workflow complete!
diff --git a/.github/workflows/test_external_rock.yaml b/.github/workflows/test_external_rock.yaml
index 33ff275..25de8e1 100644
--- a/.github/workflows/test_external_rock.yaml
+++ b/.github/workflows/test_external_rock.yaml
@@ -31,7 +31,6 @@ jobs:
   test:
     uses: canonical/oci-factory/.github/workflows/Test-Rock.yaml@main
     needs: [setup]
-    continue-on-error: true # we expect vulnerabilities scan to fail
     with:
       oci-archive-name: test_image
       test-black-box: false # will always fail since bkimminich/juice-shop is not a rock. 
@@ -39,3 +38,12 @@ jobs:
       test-malware: true
       test-oci-compliance: true
       test-vulnerabilities: true
+
+  end:
+    # we expect vulnerabilities scan to fail, so we add a final job so PR checks pass.
+    if: ${{ !cancelled() }}
+    needs: [test]
+    runs-on: ubuntu-22.04
+    steps:
+      - run: |
+          echo Workflow complete!