ci: make CI/CodeQL lightweight and trigger only when required#124
Merged
Conversation
CI and CodeQL ran on both pull_request and push:main, and CI ran a 5-way cross-compile matrix on every event. Because main only advances through squash PRs, the post-merge run re-validated the exact diff the PR already passed, and the cross-compile matrix duplicated what release.yaml already builds for every platform on each tag. Recent run history was ~45 CI + ~45 CodeQL per 100 runs, roughly half of it redundant, plus 5 extra cross-compile runners per change and the full Go matrix even on docs-only PRs. Changes (no required status checks exist on main, so trigger/job changes don't affect merge-ability; release.yaml is untouched so the cosign keyless identity is preserved): - CI: pull_request only (dropped push:main). The PR run is the gate. - CodeQL: pull_request + the existing weekly schedule (dropped push:main); the weekly run covers main-branch drift. - Removed the per-PR cross-compile job. Per-platform build coverage (darwin/windows/arm64) lives in release.yaml, which builds every target on each tag. - Added concurrency cancel-in-progress to both, so a new commit on a PR cancels its superseded in-flight run. - paths-ignore (**.md, docs/**, LICENSE, .github/assets/**) so documentation-only PRs skip the Go pipeline entirely. - Minor: dropped `-v` from `go test` (log bloat) and pinned govulncheck to v1.4.0 instead of @latest (reproducible + served from the module cache). Net effect: a typical code PR drops from ~10 runner-jobs (+~10 again on merge) to ~4 (build/lint/vuln/dependency-review) with no post-merge run, and a docs-only PR to ~0 — roughly a 70-80% cut in CI minutes. Validated with actionlint (both files clean).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Makes CI/CodeQL lightweight and trigger only when needed. Recent history was ~45 CI + ~45 CodeQL per 100 runs — roughly half redundant — plus a 5-way cross-compile matrix on every event and the full Go pipeline even on docs-only PRs.
Why it's safe:
mainhas no branch protection / rulesets and no required status checks (PRs merge today even withdependency-reviewred), so changing triggers/jobs doesn't affect merge-ability.release.yamlis untouched, so the cosign keyless identity (pinned torelease.yaml) is preserved.Changes
push: main). main advances only via squash PRs, so the post-merge run just re-validated the diff the PR already passed.push: main); the weekly run covers main-branch drift.cross-compilematrix.release.yamlalready builds all 5 platforms (darwin/windows/linux/arm64) on every tag, so per-PR cross-compile was duplicate work. Trade-off: a platform-specific break surfaces at release, not on the PR.concurrency: cancel-in-progresson both — a new commit on a PR cancels its superseded in-flight run.paths-ignore(**.md,docs/**,LICENSE,.github/assets/**) — docs-only PRs skip the Go pipeline entirely.-vfromgo test; pinnedgovulncheck@v1.4.0(reproducible + cache-served) instead of@latest.Net effect
A typical code PR: ~10 runner-jobs (+~10 again on merge) → ~4 (build/lint/vuln/dependency-review), no post-merge run. Docs-only PR → 0. Roughly a 70–80% cut in CI minutes. (Release
macOScost is structural — darwin needs CGO — so the lever there is batching releases, not this workflow.)Verification
actionlintclean on both files.