fix(ci): scope model-discovery PR to only include models.json

[maskarb]

Summary

• Add add-paths to create-pull-request so only models.json is committed (prevents GCP WIF credentials file from leaking into the PR)
• Scope the diff check to only models.json so transient workspace files don't trigger false positives

See #911 for the PR where the credentials file was accidentally included.

Test plan

• Trigger model-discovery workflow manually and verify the resulting PR only contains models.json

🤖 Generated with Claude Code

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: f7fc8298-35b5-4dc9-96dc-9ec6c66e55da

📥 Commits

Reviewing files that changed from the base of the PR and between dd0bc67 and e22a92f.

📒 Files selected for processing (3)

• .github/workflows/components-build-deploy.yml
• .github/workflows/model-discovery.yml
• .github/workflows/prod-release-deploy.yaml

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

---

Walkthrough

Three GitHub Actions workflow files are restructured to implement component-driven build matrices with multi-architecture support. The workflows introduce dynamic component detection, matrix-based parallel builds for multiple architectures, a new merge-manifests job for multi-arch image handling, and conditional deployment logic based on detected/built components.

Changes

Cohort / File(s)	Summary
Multi-arch Component Build Workflows .github/workflows/components-build-deploy.yml, .github/workflows/prod-release-deploy.yaml	Both workflows replace static build processes with dynamic component matrices (amd64, arm64). Introduce detect-changes job with build-matrix/merge-matrix/has-builds outputs, new merge-manifests job for multi-arch image creation, and conditional deployment steps based on built components. Add per-arch image tagging (suffix-based tags like -amd64/-arm64) and dynamic image tag determination. Update kustomize and deployment steps to conditionally apply changes only for rebuilt components.
Model Discovery Workflow .github/workflows/model-discovery.yml	Narrows diff check to single file path (components/manifests/base/models.json) and updates PR creation to include that file in add-paths. Restricts workflow triggers to only model manifest changes.

Sequence Diagram

sequenceDiagram
    participant GHA as GitHub Actions
    participant DC as detect-changes Job
    participant BCM as Build Component Matrices
    participant BAP as build-and-push Job<br/>(matrix: arch × component)
    participant MM as merge-manifests Job
    participant DO as deploy-to-openshift Job

    GHA->>DC: Trigger workflow
    DC->>BCM: Compute ALL_COMPONENTS<br/>Filter by selection/force-build
    BCM-->>DC: Output BUILD_MATRIX<br/>MERGE_MATRIX<br/>HAS_BUILDS
    
    DC->>BAP: Dispatch matrix<br/>(arch: amd64, arm64)<br/>per-component
    
    par Multi-arch builds
        BAP->>BAP: Build & push with<br/>arch suffix tags<br/>(-amd64, -arm64)
    end
    
    BAP-->>MM: Build results
    MM->>MM: Create multi-arch<br/>manifests per component<br/>using manifest tool
    MM-->>DO: Manifest outputs
    
    DO->>DO: Detect built components
    DO->>DO: Conditionally update<br/>images & registries<br/>only for built components
    DO->>DO: Apply stage/latest tags

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/model-discovery-creds-leak

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}