Summary

Adds a changes job using dorny/paths-filter that detects which file groups changed on a PR. Downstream jobs declare needs: [changes] and skip when their relevant files are untouched. An all-checks umbrella job aggregates all results so branch protection has a single, reliable gate.

How it works

flowchart TD
    PR([pull_request event]):::event --> changes

    changes["changes\ndorny/paths-filter\n─────────────────\noutputs: source / docker / vendor"]:::filter

    changes -->|source=true| unit-test
    changes -->|source=true| browser-test
    changes -->|docker=true| docker-build
    changes -->|docker=true| dockerfile-check
    changes -->|vendor=true| verify-vendor-integrity
    changes -. always runs .-> verify-npm-packages
    changes -. always runs .-> code-quality

    unit-test:::job --> all-checks
    browser-test:::job --> all-checks
    docker-build:::job --> all-checks
    dockerfile-check:::job --> all-checks
    verify-vendor-integrity:::job --> all-checks
    verify-npm-packages:::job --> all-checks
    code-quality:::job --> all-checks
    changes --> all-checks

    all-checks{"all-checks\nif: always()\n──────────────────────────────\n✅ pass → all results are success or skipped\n❌ fail → any result is failure or cancelled"}:::gate

    classDef event fill:#6366f1,color:#fff,stroke:none
    classDef filter fill:#0ea5e9,color:#fff,stroke:none
    classDef job fill:#64748b,color:#fff,stroke:none
    classDef gate fill:#16a34a,color:#fff,stroke:none

On push to master or workflow_dispatch, the changes job is skipped (its if: condition excludes non-PR events). Every downstream job sees needs.changes.result == 'skipped' and runs unconditionally — full CI on every master merge, no exceptions.

What skips and when (PR events only)

Why all-checks is secure

all-checks explicitly needs: [changes]. This means:

• If a test job fails → its result is failure → jq check rejects it → all-checks fails ❌
• If a test job is skipped by path filter → result is skipped → jq check accepts it → all-checks passes ✅
• If changes itself errors → its result is failure (not skipped) → all-checks catches it and fails ❌

GitHub job results are exactly one of success | failure | cancelled | skipped. Only success and skipped pass. A real failure can never sneak through.

Required: branch protection update (admin action)

Branch protection currently requires the individual job names. To make this work, a repo admin needs to replace those with all-checks as the single required check. The individual jobs still run and report status — they just aren't the merge gate anymore.

Expected savings on infra-only PRs

Before: ~12 min wall time (blocked on docker-build + browser-test + unit-test ×3)
After: ~3 min wall time (only changes + code-quality + verify-npm-packages run)

Test plan

• Open a PR touching only Dockerfile — verify unit-test and browser-test are skipped, docker-build runs, all-checks passes
• Open a PR touching only modules/sdk-core/src — verify docker-build is skipped, unit-test and browser-test run, all-checks passes
• Force-fail a test job — verify all-checks fails and blocks merge
• Merge to master — verify all jobs run unconditionally

Closes WCN-974