From c37ee2fb90bc588c63ff0ad22bf53a2264d1b5fe Mon Sep 17 00:00:00 2001 From: Gokul Krishnaa Devaraju Date: Tue, 16 Jun 2026 13:59:40 -0700 Subject: [PATCH 1/2] ci(root): add path filters to skip irrelevant jobs per PR Adds a `changes` job using dorny/paths-filter to detect which file groups changed. Downstream jobs skip when their files are unaffected: - unit-test, browser-test: skip when only Dockerfile/infra files change - docker-build, dockerfile-check: skip when only source modules change - verify-vendor-integrity: skip when modules/argon2 is untouched - code-quality, verify-npm-packages: always run On push to master and workflow_dispatch the changes job is skipped, causing all downstream jobs to run unconditionally via the `needs.changes.result == 'skipped'` guard. Action pinned to SHA (fbd0ab8f # v4.0.1) matching internal convention used in bitgo-retail and mobile-native. Ref: WCN-974 Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/ci.yml | 41 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 820eedb529..a4942683dd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -18,8 +18,41 @@ env: SOCKET_SECURITY_MODE: monitor # Options: monitor (non-blocking) or block (fails on vulnerabilities) jobs: + # Detect which file groups changed so downstream jobs can skip when irrelevant. + # Only runs on pull_request — on push/workflow_dispatch it is skipped, which causes + # downstream jobs (via `needs.changes.result == 'skipped'`) to run unconditionally. + changes: + runs-on: ubuntu-latest + if: github.event_name == 'pull_request' + outputs: + source: ${{ steps.filter.outputs.source }} + docker: ${{ steps.filter.outputs.docker }} + vendor: ${{ steps.filter.outputs.vendor }} + steps: + - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 + id: filter + with: + filters: | + source: + - 'modules/**' + - 'package.json' + - 'yarn.lock' + - 'tsconfig*.json' + - 'lerna.json' + docker: + - 'Dockerfile' + - '.dockerignore' + - 'modules/**' + - 'package.json' + - 'yarn.lock' + - 'lerna.json' + vendor: + - 'modules/argon2/**' + unit-test: runs-on: ubuntu-latest + needs: [changes] + if: always() && (needs.changes.result == 'skipped' || needs.changes.outputs.source == 'true') strategy: fail-fast: false @@ -146,6 +179,8 @@ jobs: browser-test: runs-on: ubuntu-22.04 + needs: [changes] + if: always() && (needs.changes.result == 'skipped' || needs.changes.outputs.source == 'true') steps: - uses: socketdev/action@v1 @@ -242,6 +277,8 @@ jobs: docker-build: runs-on: ubuntu-latest + needs: [changes] + if: always() && (needs.changes.result == 'skipped' || needs.changes.outputs.docker == 'true') steps: - uses: actions/checkout@v6 @@ -314,6 +351,8 @@ jobs: verify-vendor-integrity: runs-on: ubuntu-latest + needs: [changes] + if: always() && (needs.changes.result == 'skipped' || needs.changes.outputs.vendor == 'true') steps: - uses: actions/checkout@v6 @@ -336,6 +375,8 @@ jobs: dockerfile-check: runs-on: ubuntu-latest + needs: [changes] + if: always() && (needs.changes.result == 'skipped' || needs.changes.outputs.docker == 'true') steps: - uses: socketdev/action@v1 From 35067e9a697dd8d51a6ffb26894f34603fc248a6 Mon Sep 17 00:00:00 2001 From: Gokul Krishnaa Devaraju Date: Wed, 17 Jun 2026 23:45:53 -0700 Subject: [PATCH 2/2] ci(root): add all-checks umbrella job for branch protection MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds an `all-checks` job (if: always()) that aggregates every skippable job. It passes when each dependency result is `success` or `skipped`, and fails on `failure` or `cancelled` — so no broken job can sneak through. `changes` is explicitly listed in needs: if the path-filter job itself errors, its result is `failure` (not `skipped`), which the jq check rejects and blocks the merge. Branch protection should require `all-checks` instead of the individual job names so that CI-only PRs (tests intentionally skipped) can merge while still blocking PRs where tests actually fail. Ref: WCN-974 Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/ci.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a4942683dd..ffe47c8226 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -413,3 +413,27 @@ jobs: git diff -- . ':!yarn.lock' exit 1 fi + + # Umbrella job that branch protection should require instead of individual jobs. + # Passes when every dependency either succeeded or was intentionally skipped, + # so CI-only PRs (where tests are skipped by path filters) can still merge. + # `changes` is included in needs so a failure there (not a skip) is caught and + # blocks the merge — preventing test jobs from being falsely skipped. + all-checks: + runs-on: ubuntu-latest + if: always() + needs: + - changes + - unit-test + - browser-test + - docker-build + - dockerfile-check + - verify-vendor-integrity + - verify-npm-packages + - code-quality + steps: + - name: All checks passed or skipped + run: | + results='${{ toJSON(needs) }}' + echo "$results" + echo "$results" | jq -e '[.[].result] | all(. == "success" or . == "skipped")'