ci: skip jobs if files not-changed

[davdhacs]

Description

Skip CI jobs on PRs when their files haven't changed.

A reusable workflow (detect-changes.yml) fetches the PR's changed file list via GitHub API and outputs it with ^/$ anchors. Each job matches with contains():

detect-changes:
  uses: ./.github/workflows/detect-changes.yml

go:
  needs: detect-changes
  if: >-
    !needs.detect-changes.outputs.files ||
    contains(needs.detect-changes.outputs.files, '.go$') ||
    contains(needs.detect-changes.outputs.files, '^proto/')

• No checkout needed (GitHub API only, ~3s)
• Empty output on push/failure → falsy → !...files defaults to run
• ^ anchors root directories, $ anchors extensions — no false positives
• Substring matching is safe: false positives run the job, false negatives can't happen

Applied to: unit-tests, style, scanner-db-integration-tests, check-crd-compatibility.

Testing and quality

• CI results are inspected

How I validated my change

• actionlint passes on all modified workflows
• Verified strict_required_status_checks_policy is false — skipped jobs don't block merge

Test 1 — Go file change (pkg/version/version.go):
Unit Tests |
Style

• Confirmed triggered: go, go-postgres, go-bench, local-roxctl-tests, sensor-integration-tests, check-generated-files, golangci-lint, style-check
• Confirmed skipped: ui, ui-component, shell-unit-tests, openshift-ci-unit-tests, check-dependent-images-exist, check-crd-compatibility, db-integration-tests

Test 2 — UI file change (ui/package.json):
Unit Tests |
Style

• Confirmed triggered: ui, ui-component, style-check
• Confirmed skipped: go, go-postgres, go-bench, local-roxctl-tests, sensor-integration-tests, golangci-lint, check-generated-files, check-dependent-images-exist

Both runs were cancelled by concurrency (revert commits), but job statuses (pending vs skipping) were captured before cancellation, confirming correct filter behavior.

🤖 Generated with Claude Code

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[sourcery-ai]

Hey - I've left some high level feedback:

• The find-changes.sh script depends on Bash associative arrays (declare -A), which aren’t supported by the default Bash 3.x on macOS runners; consider either enforcing a Bash 4+ shell (e.g., via bash from Homebrew or ubuntu-only usage) or adding a guard/error message so this fails clearly on unsupported environments.
• The current filters parsing via declare -A filters="$1" is quite brittle and tightly couples the caller to Bash literal syntax; consider either dropping the quotes (declare -A filters=$1) and documenting that the input must be a valid associative array initializer, or switching to a more structured format (e.g., newline-delimited key=glob pairs) to reduce parsing surprises.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The `find-changes.sh` script depends on Bash associative arrays (`declare -A`), which aren’t supported by the default Bash 3.x on macOS runners; consider either enforcing a Bash 4+ shell (e.g., via `bash` from Homebrew or `ubuntu`-only usage) or adding a guard/error message so this fails clearly on unsupported environments.
- The current `filters` parsing via `declare -A filters="$1"` is quite brittle and tightly couples the caller to Bash literal syntax; consider either dropping the quotes (`declare -A filters=$1`) and documenting that the input must be a valid associative array initializer, or switching to a more structured format (e.g., newline-delimited `key=glob` pairs) to reduce parsing surprises.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a reusable detect-changes workflow that lists PR changed files and exposes a files output (newline-separated, anchored filenames). Multiple CI workflows (check-crd-compatibility, scanner-db-integration-tests, style, unit-tests, scanner DB tests) now call it and conditionally skip jobs on PRs when relevant path patterns are unchanged.

Changes

Cohort / File(s)	Summary
New reusable workflow .github/workflows/detect-changes.yml	Adds a workflow_call reusable workflow that lists PR changed files via the GitHub API and outputs files as newline-separated, regex-anchored filenames (empty on non-PR, failure, or very large PRs).
check-crd gating .github/workflows/check-crd-compatibility.yaml	Adds detect-changes dependency and an if: guard so CRD compatibility runs only when relevant operator/ or config-controller/ paths are detected.
scanner DB integration gating .github/workflows/scanner-db-integration-tests.yaml	Adds detect-changes job and updates db-integration-tests to needs: detect-changes with an if: that runs only when scanner/**, go.mod, or go.sum are reported changed.
style/lint gating .github/workflows/style.yaml	Adds detect-changes job and makes multiple lint/style jobs (check-generated-files, style-check, golangci-lint, check-dependent-images-exist, github-actions-lint, github-actions-shellcheck, openshift-ci-lint) depend on it and use if: expressions tied to needs.detect-changes.outputs.files for component-specific path patterns.
unit & integration test gating .github/workflows/unit-tests.yaml	Adds detect-changes job and gates various test jobs (Go, UI, shell, OpenShift wrapper, sensor integration, etc.) via needs: detect-changes and if: checks against needs.detect-changes.outputs.files so they run only when related paths are changed.

Sequence Diagram(s)

sequenceDiagram
    rect rgba(220,230,241,0.5)
    participant PRClient as PR Client
    PRClient->>GitHub: Open/Update PR
    end

    rect rgba(200,245,205,0.5)
    participant GitHub as GitHub Actions
    GitHub->>DetectWF: Trigger reusable detect-changes (workflow_call)
    end

    rect rgba(255,243,205,0.5)
    participant DetectWF as DetectWorkflow
    participant API as GitHub API
    DetectWF->>API: List PR files (paginate)
    API-->>DetectWF: Return file list or error/truncated
    DetectWF->>DetectWF: Format filenames (anchor with ^...$), write `files` output
    DetectWF-->>GitHub: Set job output `files`
    end

    rect rgba(241,222,255,0.5)
    participant CI as CI Workflows
    participant Runner as Runner
    CI->>DetectWF: Wait for output (needs)
    alt matching paths present
        CI->>Runner: Execute gated jobs (linters, tests, integration)
    else no matching paths (on PR)
        CI->>GitHub: Skip gated jobs
    end
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title 'ci: skip jobs if files not-changed' accurately summarizes the main objective of the PR, which is to conditionally skip CI jobs based on whether relevant files were modified.
Description check	✅ Passed	The PR description is comprehensive and well-structured, covering the change purpose, implementation details, validation approach, and test results with links.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch davdhacs/files-changed-action

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/actions/files-changed/action.yaml:
- Around line 25-28: Replace inline shell interpolation of inputs in the run
step by exporting inputs as environment variables and invoke the script with
bash; specifically, set environment variables (e.g., FILTERS, BASE, SHA) from
the GitHub Actions inputs (inputs.filters, inputs.base, inputs.sha) and call
bash "${{ github.action_path }}/find-changes.sh" using those env vars (and write
output to GITHUB_OUTPUT as before). Update the run block so it uses explicit
bash to execute find-changes.sh and references the env vars inside the script
invocation instead of embedding '${{ inputs.* }}' directly.

In @.github/actions/files-changed/find-changes.sh:
- Around line 19-30: The current IFS=$'\n' causes the echo of matches via echo
"matches=${!matches[*]}" to expand keys with newlines, which breaks
GITHUB_OUTPUT parsing; modify the write to GITHUB_OUTPUT so the matched keys are
joined on a single space (or otherwise single line) before emitting—e.g.
temporarily join "${!matches[@]}" into a single-space string or use printf to
format the list and then write that single-line value instead of the current
echo that can output multiple lines; target the matches associative array and
the echo "matches=${!matches[*]}" invocation to implement this change.
- Line 24: The current equality check if [[ $line == $exp ]]; then uses shell
globs that allow * to cross '/' boundaries; replace it with a path-segment-aware
matcher: add a function matches_path() that takes the file path ($line) and the
pattern ($exp), splits both on '/' and compares each segment pair-by-pair so '*'
only matches within a single segment (use [[ "$seg" == "$pat_seg" ]] for segment
matching), allow a special '**' pattern to mean "match remaining segments", and
ensure segment counts must match unless '**' is used; then replace the if [[
$line == $exp ]]; then with if matches_path "$line" "$exp"; then to enforce
correct path-segment glob semantics.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 1d3a8535-b602-4a57-8cde-8c13424156c6

📥 Commits

Reviewing files that changed from the base of the PR and between 8a8a869 and 32efbba.

📒 Files selected for processing (2)

• .github/actions/files-changed/action.yaml
• .github/actions/files-changed/find-changes.sh

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 49.74%. Comparing base (8a8a869) to head (32efbba).

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #20171   +/-   ##
=======================================
  Coverage   49.74%   49.74%           
=======================================
  Files        2768     2768           
  Lines      209706   209706           
=======================================
  Hits       104318   104318           
  Misses      97690    97690           
  Partials     7698     7698           

Flag	Coverage Δ
go-unit-tests	49.74% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🚀 Build Images Ready

Images are ready for commit 1927c31. To use with deploy scripts:

export MAIN_IMAGE_TAG=4.11.x-793-g1927c318c8

[davdhacs]

@coderabbitai review

[davdhacs]

@sourcery-ai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• The filters JSON is duplicated across multiple workflows (style, unit-tests, scanner-db-integration-tests, etc.); consider centralizing the filter definitions in a single reusable location (e.g., a workflow input default or a checked-in JSON file) to avoid drift and make future updates less error-prone.
• Using contains(needs.detect-changes.outputs.matches, 'go') on a space-separated string can lead to accidental substring matches if new labels are added (e.g., go-ui); you may want to output a delimiter-wrapped list (like ,go,ui,), or a JSON array, and adjust the condition checks accordingly for more robust matching.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The `filters` JSON is duplicated across multiple workflows (`style`, `unit-tests`, `scanner-db-integration-tests`, etc.); consider centralizing the filter definitions in a single reusable location (e.g., a workflow input default or a checked-in JSON file) to avoid drift and make future updates less error-prone.
- Using `contains(needs.detect-changes.outputs.matches, 'go')` on a space-separated string can lead to accidental substring matches if new labels are added (e.g., `go-ui`); you may want to output a delimiter-wrapped list (like `,go,ui,`), or a JSON array, and adjust the condition checks accordingly for more robust matching.

## Individual Comments

### Comment 1
<location path=".github/workflows/detect-changes.yml" line_range="43-45" />
<code_context>
+            echo "^${regex}$"
+          }
+
+          mapfile -t files < <(gh api "repos/${GH_REPO}/pulls/${PR_NUMBER}/files" --paginate --jq '.[].filename')
+          echo "Changed files (${#files[@]}):" >&2
+          printf '  %s\n' "${files[@]}" >&2
+
+          # GitHub API caps at 3000 files per PR. If we hit that,
+          # assume everything changed so no jobs are skipped.
+          if [[ ${#files[@]} -ge 3000 ]]; then
+            echo "::warning::PR has 3000+ changed files, matching all filters" >&2
+            all_keys=$(echo "${FILTERS}" | jq -r 'keys[]' | tr '\n' ' ')
</code_context>
<issue_to_address>
**suggestion:** Failure modes when GH CLI or API calls misbehave could cause unexpected hard failures.

This step assumes `gh` exists and that the API call always succeeds. With `set -eo pipefail`, any `gh api` failure (rate limiting, network issues, missing `PR_NUMBER`, or `${{ github.token }}` permission problems) will hard-fail the workflow and block dependent jobs. Consider handling a failed `gh api` by either treating it like the `>= 3000 files` case (warn and mark all filters as matched so nothing is skipped) or failing fast with a clearer, actionable error message about the environment/permissions issue.

```suggestion
          if ! gh_files_json="$(gh api "repos/${GH_REPO}/pulls/${PR_NUMBER}/files" --paginate --jq '.[].filename')"; then
            echo "::warning::Failed to list changed files via GitHub API (check PR_NUMBER, gh auth, and permissions); matching all filters" >&2
            all_keys=$(echo "${FILTERS}" | jq -r 'keys[]' | tr '\n' ' ')
            echo "matches=${all_keys}" | tee -a "${GITHUB_OUTPUT}"
            exit 0
          fi

          mapfile -t files < <(printf '%s\n' "${gh_files_json}")
          echo "Changed files (${#files[@]}):" >&2
          printf '  %s\n' "${files[@]}" >&2
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/unit-tests.yaml (1)

25-35: Consider including ^config-controller/ in the go job filter.

The go job runs make -C operator/ test-integration and test-helm (lines 92, 95). The operator Helm/integration tests pull in config-controller CRDs/content in this repo, and the companion workflow check-crd-compatibility.yaml gates on both operator/ and config-controller/. A PR that touches only config-controller/ would skip this job here while CRD-compat still runs. Low-impact, but worth aligning for consistency.

       contains(needs.detect-changes.outputs.files, '^proto/') ||
-      contains(needs.detect-changes.outputs.files, '^operator/')
+      contains(needs.detect-changes.outputs.files, '^operator/') ||
+      contains(needs.detect-changes.outputs.files, '^config-controller/')

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/unit-tests.yaml around lines 25 - 35, The `go` job filter
is missing the config-controller directory pattern so PRs touching only
config-controller/ will skip the go job; update the job condition for the `go`
job (the contains(...) list in the if: expression) to include the
'^config-controller/' pattern so the `go` job runs when files under
config-controller/ change, keeping it consistent with the
`check-crd-compatibility.yaml` gating and the operator tests (which run make -C
operator/ test-integration and test-helm).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/detect-changes.yml:
- Around line 58-62: The step currently always runs printf '^%s$\n'
"${files[@]}" which when files is empty emits a single "^$" and makes
outputs.files non-empty; fix by guarding that printf with a length check on the
files array so you only append file patterns to GITHUB_OUTPUT when files
contains elements (e.g. test ${`#files`[@]} -gt 0 before running printf '^%s$\n'
"${files[@]}" and otherwise write an empty files output), referencing the
existing variables/commands: files, printf '^%s$\n' "${files[@]}", and
GITHUB_OUTPUT (so outputs.files is truly empty when no files changed).

---

Nitpick comments:
In @.github/workflows/unit-tests.yaml:
- Around line 25-35: The `go` job filter is missing the config-controller
directory pattern so PRs touching only config-controller/ will skip the go job;
update the job condition for the `go` job (the contains(...) list in the if:
expression) to include the '^config-controller/' pattern so the `go` job runs
when files under config-controller/ change, keeping it consistent with the
`check-crd-compatibility.yaml` gating and the operator tests (which run make -C
operator/ test-integration and test-helm).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: e696554a-5f2b-439a-9fb7-c9877308a15a

📥 Commits

Reviewing files that changed from the base of the PR and between 6b6f285 and 6e50d4b.

📒 Files selected for processing (5)

• .github/workflows/check-crd-compatibility.yaml
• .github/workflows/detect-changes.yml
• .github/workflows/scanner-db-integration-tests.yaml
• .github/workflows/style.yaml
• .github/workflows/unit-tests.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/check-crd-compatibility.yaml
• .github/workflows/style.yaml

[davdhacs]

I went too far with adding file filters to so many jobs. But this gives good examples of what would be possible. And we could just start with a conditional for a single job like skipping just check-crd-compatibility or check-generated-files.

[janisz]

How to handle required checks? If we skip the job the merge will be blocked

[davdhacs]

Skipped jobs satisfy required checks — GitHub treats job-level skips (via if:) as "Success":

"Required status checks must have a successful, skipped, or neutral status before collaborators can make changes to a protected branch." https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging

and

"If a job within a workflow is skipped due to a conditional, it will report its status as 'Success'."
— Troubleshooting required status checks

This only works because we skip at the job level (if: on each job), not at the workflow level (on.push.paths). Workflow-level skips would leave checks as "Pending" and block merge.

Also see: About protected branches — "Required status checks must have a successful, skipped, or neutral status."

[davdhacs]

smaller PR to add the action and apply it only to .github/ and .openshift-ci/ paths+linters: #20195

[sourcery-ai]

Hey - I've left some high level feedback:

• The explanatory comment for the '^scripts/' pattern in detect-changes.yml is misleading — the pattern will match nested paths like scripts/nested/foo.sh as well, so either update the comment or tighten the pattern if you truly only want the root-level directory.
• The if conditions for several jobs repeat similar path/extension checks (e.g., .go$, ^go.mod$, ^go.sum$); consider extracting common patterns into reusable expressions or grouping them via an additional boolean output from detect-changes to reduce duplication and future maintenance overhead.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The explanatory comment for the `'^scripts/'` pattern in `detect-changes.yml` is misleading — the pattern will match nested paths like `scripts/nested/foo.sh` as well, so either update the comment or tighten the pattern if you truly only want the root-level directory.
- The `if` conditions for several jobs repeat similar path/extension checks (e.g., `.go$`, `^go.mod$`, `^go.sum$`); consider extracting common patterns into reusable expressions or grouping them via an additional boolean output from `detect-changes` to reduce duplication and future maintenance overhead.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[AlexVulaj]

Nitpick, because this would be an optimization and not a functional issue -

VERSION$ here matches any file ending in VERSION, including things like BUILD_IMAGE_VERSION and scanner/VULNERABILITY_VERSION, which I'm not sure if are relevant here. Maybe more explicit patterns could optimize some of this, but also feel free to resolve this and ignore if you don't think the juice is worth the squeeze.

[davdhacs]

I want it to be matching any possible filename ending with "VERSION" so that if we add a new one, like FACT_VERSION was added this year, then we don't need to add it here. And the edge case of a *VERSION file changing which we don't check in this job triggering this is rare and acceptible (not a long/slow job I think).
So, yes (not enough juice to be worth it) I think for now it is better to match all and accept some extra runs (we run on every commit as it is right now).

[davdhacs]

I'll hold this change until I have more input. I intend to reduce it to only add the condition on one job as a guinea-pig tester/example. Then we can increase the use to this extent when/if more teams+engineers want or approve it.

[openshift-ci]

@davdhacs: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/ocp-4-12-nongroovy-e2e-tests	1927c31	link	false	/test ocp-4-12-nongroovy-e2e-tests
ci/prow/ocp-4-21-nongroovy-e2e-tests	1927c31	link	false	/test ocp-4-21-nongroovy-e2e-tests

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[davdhacs]

replacing with #20195
and then we can add jobs/groups piece by piece if we find it helpful