Skip to content

ci: tighten path filters on PR-triggered workflows#2134

Open
samrose wants to merge 4 commits into
developfrom
pg-ci-changes
Open

ci: tighten path filters on PR-triggered workflows#2134
samrose wants to merge 4 commits into
developfrom
pg-ci-changes

Conversation

@samrose

@samrose samrose commented May 5, 2026

Copy link
Copy Markdown
Collaborator

Summary

Three workflows fire on every PR push regardless of what changed. This PR adds paths: filters to their pull_request triggers, scoped to what each workflow actually inspects. Findings come from a pgci-graph workflows analysis (Phase 1).

Filters

ci.yml — "Check merge requirements"

Reads ansible/vars.yml to validate postgres_release version strings. That's the entire workflow.

paths:
  - 'ansible/vars.yml'
  - '.github/workflows/ci.yml'

check-shellscripts.yml

Runs ShellCheck against ./ansible/files/admin_api_scripts and its pg_upgrade_scripts subdir. The ** glob covers both.

paths:
  - 'ansible/files/admin_api_scripts/**'
  - '.github/workflows/check-shellscripts.yml'

nix-build.yml — "Nix CI"

Scoped to actual Nix derivation inputs and the workflow's own dependencies.

paths:
  - 'flake.nix'
  - 'flake.lock'
  - 'nix/**'
  - 'ansible/files/**'
  - 'migrations/**'
  - 'audit-specs/**'
  - 'Dockerfile-*'
  - 'docker/**'
  - '.github/workflows/nix-build.yml'
  - '.github/workflows/nix-eval.yml'
  - '.github/actions/nix-install-ephemeral/**'
  - '.github/actions/nix-install-self-hosted/**'
  - '.github/actions/nix-build-retry/**'

Deliberately excluded from nix-build.yml's filter (with verification)

  • ansible/vars.yml — empirically the only Nix derivation with vars.yml as an inputSrc is dbmate-tool. Verified via nix derivation show against all packages and a representative sample of checks (postgres builds, extensions, devShell, pre-commit, treefmt, etc.) — none had vars.yml as an input. Furthermore, dbmate-tool's build cannot fail on vars.yml content changes (it only embeds the file's store path; the script body and shellcheck don't depend on the content). Content validation is handled by ci.yml, which keeps vars.yml in its filter.
  • test.yml, testinfra-ami-build.yml — reusable workflows called by nix-build.yml, but changes to them don't affect the Nix derivation graph, only how downstream tests run. Re-running every package build × architecture × PG version on a test-logic tweak is wasteful. Merge queue still validates them at merge time.
  • docker-image-test.yml — has its own independent pull_request trigger, so it fires regardless.
  • .github/actions/** (wide glob) — only 3 of 6 actions in that directory are used by nix-build.yml. Listing the specific 3 avoids re-evaluation when unrelated actions (build-ami, check-docker-image-changes, shared-checkout) are edited.

Left un-filtered (intentional)

  • merge_group: everywhere — GitHub ignores paths: on this event, and it's the merge-time safety net.
  • nix-build.yml's push.branches: [release/*] — release pushes always need full validation.
  • workflow_dispatch: — manual.

Required status checks interaction

The three filtered workflows produce required status checks on develop:

  • ci.ymlcheck-release-version
  • check-shellscripts.ymlbuild
  • nix-build.yml (via test.yml) → run-tests / prepare, run-tests / build (15 | 17 | orioledb-17)

When GitHub skips a workflow due to paths:, no status is reported — which would normally block merge if required checks were evaluated on the PR commit.

Mitigated by merge queue (verified enabled on develop via recent gh-readonly-queue/develop/pr-NNNN-... merge_group runs):

  • Required status checks are evaluated on the merge_group commit, not the PR commit.
  • paths: filters are ignored on merge_group events.
  • All three workflows retain merge_group: triggers (un-filtered).

PRs that don't match paths: skip CI at PR-time (the desired savings); merge queue runs all required checks at merge time and gates merge on them.

Caveats

  • The nix-build.yml paths list is a manual stop-gap. Phase 2 of pgci-graph will derive it from inputSrcs automatically; until then, treat it as a quarterly review item. Merge queue mitigates the cost of any drift.
  • The merge-queue mitigation has not been empirically tested on this repo with a PR that touches none of the filtered paths. Verifying that requires this PR to be merged first, then opening a follow-up no-op PR. Revert is one commit if anything misbehaves.

Test plan

  • Open a docs-only follow-up PR after merge: confirm workflows skip at PR-time, merge_group fires all three at queue time, PR merges.
  • Confirm release pushes (push.branches: release/*) still trigger full nix-build.yml.
  • Confirm a PR touching only ansible/vars.yml triggers ci.yml only (not nix-build.yml, not check-shellscripts.yml).
  • Confirm a PR touching only ansible/files/admin_api_scripts/ triggers check-shellscripts.yml only.
  • Confirm a PR touching only nix/** triggers nix-build.yml only.
@samrose samrose marked this pull request as ready for review May 5, 2026 21:24
@samrose samrose requested review from a team as code owners May 5, 2026 21:24

@hunleyd hunleyd left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks sane to me

@darora darora left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks sensible, definitely haven't exhaustively verified the nix-build patterns

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

4 participants