ci: optimize GitHub workflows

[ian-pascoe]

Summary

• split CI verification from cross-platform test execution to reduce duplicated work
• harden release-please lockfile sync and workflow permissions/concurrency
• run registry and Homebrew sync only after release artifacts complete successfully

Validation

• actionlint .github/workflows/*.yml
• git diff --check

Summary by CodeRabbit

• Chores
  • Enhanced CI/CD pipeline with improved verification workflows and cross-platform test coverage
  • Optimized workflow triggers and concurrency management for faster feedback loops
  • Strengthened release automation processes and workflow security through proper permissions configuration

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

Restructures GitHub Actions workflows: adds a verify job and matrix test job in CI, migrates several release workflows from release triggers to workflow_run/dispatch, adds top-level permissions, tightens concurrency behavior, and improves Cargo.lock PR handling with path triggers and conditional push logic.

Changes

CI Test & Verify

Layer / File(s)	Summary
Data / Inputs .github/workflows/ci.yml	Introduces a verify job and a test matrix definition (matrix.os: ubuntu, macos, windows).
Core Implementation .github/workflows/ci.yml	New verify job steps: checkout, setup-rust, cargo cache, snapshot-flow validation, format check, clippy, locked build. Test job steps updated to checkout, setup-rust, cargo cache, and cargo test --workspace --locked.
Cleanup / Removed Steps .github/workflows/ci.yml	Removed Actionlint step from the previous test job (validation moved to verify job).
Tests / Validation .github/workflows/ci.yml	Matrix job runs platform-specific tests; verify runs linters/format/build validation on ubuntu-latest.

Release & Workflow Triggering, Permissions, and Cargo.lock Handling

Layer / File(s)	Summary
Trigger Surface / Event Model .github/workflows/homebrew-tap-sync.yml, .github/workflows/registry-sync.yml	Switched from release triggers to workflow_run (listening to Release Artifacts completed) and added/retained workflow_dispatch triggers; workflows branch logic by event type.
Concurrency & Metadata .github/workflows/homebrew-tap-sync.yml, .github/workflows/registry-sync.yml, .github/workflows/prerelease-artifacts.yml	Concurrency groups now derive from workflow_run.head_branch for workflow_run events; prerelease-artifacts changed cancel-in-progress to true; registry-sync uses dynamic group keyed by event type and head branch.
Release Tag Resolution .github/workflows/homebrew-tap-sync.yml, .github/workflows/registry-sync.yml	Resolve release metadata now sources release_tag from github.event.workflow_run.head_branch when invoked via workflow_run; workflows branch logic accordingly.
Permissions Hardening .github/workflows/dependency-review.yml, .github/workflows/release-artifacts.yml, .github/workflows/release-please.yml, .github/workflows/workflow-lint.yml	Added top-level permissions blocks (e.g., contents: read, pull-requests: read) to multiple workflows.
Cargo.lock PR Handling .github/workflows/release-please-cargo-lock.yml	Added path-based pull_request triggers for Cargo.toml/Cargo.lock, extended permissions (including pull-requests: read), added concurrency, changed checkout to refs/pull/{PR_NUMBER}/head, and enhanced commit/push step to check PR state (only push if OPEN) and push to HEAD:${HEAD_REF} using the GitHub token.
Workflow Step Removal .github/workflows/release-please.yml	Removed Rust toolchain setup and cargo cache steps from release-please workflow.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

"
I nibble bytes where workflows sleep,
I hop through jobs and triggers deep. 🐇
Verify, test, and tags in line—
CI neat as carrot brine.
"

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: optimize GitHub workflows' aligns with the main objectives: splitting CI verification from testing, hardening workflow permissions/concurrency, and improving sync workflow triggers.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/optimize-github-workflows

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

ian-pascoe has reached the 50-review limit for trial accounts. To continue receiving code reviews, upgrade your plan.