ci: skip code jobs on docs-only changes

[auricom]

Summary

• Adds a changes detection job identify whether any non-documentation files were modified

[claude]

Claude finished @auricom's task in 1m 40s —— View job

---

Code Review

• Gather context and read changed files
• Review CI workflow changes
• Post review feedback

---

The approach is sound and well-motivated — using job-level if conditions instead of paths-ignore on the trigger correctly preserves required status checks for branch protection rules. A few observations:

Security: dorny/paths-filter not pinned to a commit SHA

.github/workflows/ci.yml line 22:

- uses: dorny/paths-filter@v3

Third-party actions should be pinned to a specific commit SHA instead of a mutable tag (e.g. dorny/paths-filter@de90cc6ee8cb95e34b2d7ffa8879d543fd4dec07). A compromised tag push could execute arbitrary code in CI with pull-requests: read permissions. This is the main concern with the PR as-is. Fix this →

Minor: unnecessary checkout step in changes job

Lines 21–22:

- uses: actions/checkout@v6.0.2
- uses: dorny/paths-filter@v3

For pull_request events, dorny/paths-filter can fetch changed files directly via the GitHub API when pull-requests: read is granted, so the checkout step isn't needed for PR runs. For push and merge_group events it falls back to git diff automatically. Removing the checkout step would make the changes job faster and cheaper. Fix this →

Heads-up: push to main with docs-only changes skips all CI

The workflow triggers on push: branches: [main] as well. If a docs-only commit lands on main (e.g. via admin bypass), all CI jobs will be skipped including lint and proto checks. This is probably acceptable for a docs hotfix, but worth being aware of. If you'd like full CI to always run on main pushes, you can scope the if condition to only apply for pull_request events:

if: github.event_name == 'pull_request' && needs.changes.outputs.code != 'true' || needs.changes.outputs.code == 'true'

or simply not apply the gate on push events. This is optional/non-blocking.

What works well

• The filter pattern (** + negations for docs/**, **/*.md, .github/workflows/docs_*.yml) is correct and covers the right cases.
• The needs dependency graph is consistent: jobs that already depended on determine-image-tag now additionally list changes, and the if conditions reference needs.changes.outputs.code correctly.
• Proper least-privilege permissions on the changes job (contents: read, pull-requests: read).
• The PR description is clear and explains the paths-ignore vs job-level tradeoff well.

The SHA pinning issue is worth addressing before merging given this is a CI security surface. Everything else looks good.

[coderabbitai]

Warning

Rate limit exceeded

@auricom has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 38 minutes and 1 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e5de5712-7313-4811-a90d-933d71e68c41

📥 Commits

Reviewing files that changed from the base of the PR and between 14b82da and adf399c.

📒 Files selected for processing (1)

• .github/workflows/ci.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch auricom/ci-docs-skip

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

The latest Buf updates on your PR. Results from workflow CI / buf-check (pull_request).

Build	Format	Lint	Breaking	Updated (UTC)
✅ passed	⏩ skipped	✅ passed	✅ passed	Apr 28, 2026, 11:48 AM

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 62.48%. Comparing base (49ef5c9) to head (adf399c).
⚠️ Report is 3 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3295      +/-   ##
==========================================
+ Coverage   62.45%   62.48%   +0.02%     
==========================================
  Files         122      122              
  Lines       13047    13047              
==========================================
+ Hits         8149     8152       +3     
+ Misses       4012     4009       -3     
  Partials      886      886              

Flag	Coverage Δ
combined	62.48% <ø> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.