chore: skip full CI for secrets baseline commits

lucarlig · lucarlig · commit 651aa81b6f00 · 2026-06-03T17:27:57.000+01:00
Signed-off-by: lucarlig &lt;luca.carlig@ibm.com&gt;
diff --git a/.github/workflows/alembic-upgrade-validation.yml b/.github/workflows/alembic-upgrade-validation.yml
@@ -47,8 +47,14 @@ permissions:
   actions: read
 
 jobs:
+  ci-decision:
+    uses: ./.github/workflows/secret-baseline-ci-decision.yml
+    with:
+      workflow-file: alembic-upgrade-validation.yml
+
   upgrade-validation:
-    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
+    needs: ci-decision
+    if: needs.ci-decision.outputs.run-full-ci == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft)
     name: SQLite + PostgreSQL Fresh/Upgrade
     runs-on: ubuntu-latest
     timeout-minutes: 50
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -45,13 +45,20 @@ concurrency:
 # Minimal permissions - principle of least privilege
 # -----------------------------------------------------------------
 permissions:
+  actions: read
   contents: read # for actions/checkout
   security-events: write # upload SARIF results
   pull-requests: write # post / overwrite PR comment
 
 jobs:
+  ci-decision:
+    uses: ./.github/workflows/secret-baseline-ci-decision.yml
+    with:
+      workflow-file: dependency-review.yml
+
   dependency-review:
-    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
+    needs: ci-decision
+    if: needs.ci-decision.outputs.run-full-ci == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft)
     runs-on: ubuntu-slim
     timeout-minutes: 15
 
diff --git a/.github/workflows/docker-multiplatform.yml b/.github/workflows/docker-multiplatform.yml
@@ -45,18 +45,22 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
+  actions: read
   contents: read
 
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
 
 jobs:
-  # ---------------------------------------------------------------
-  # Build each platform in parallel
-  # ---------------------------------------------------------------
+  ci-decision:
+    uses: ./.github/workflows/secret-baseline-ci-decision.yml
+    with:
+      workflow-file: docker-multiplatform.yml
+
   build:
-    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
+    needs: ci-decision
+    if: needs.ci-decision.outputs.run-full-ci == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft)
     name: Build ${{ matrix.suffix }}
     strategy:
       fail-fast: false
diff --git a/.github/workflows/docker-scan.yml b/.github/workflows/docker-scan.yml
@@ -39,14 +39,21 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
+  actions: read
   contents: read
 
 env:
   IMAGE_NAME: mcp-context-forge-scan
 
 jobs:
+  ci-decision:
+    uses: ./.github/workflows/secret-baseline-ci-decision.yml
+    with:
+      workflow-file: docker-scan.yml
+
   container-smoke:
-    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
+    needs: ci-decision
+    if: needs.ci-decision.outputs.run-full-ci == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft)
     name: Container Smoke (${{ matrix.name }})
     runs-on: ubuntu-latest
     timeout-minutes: 30
@@ -86,7 +93,8 @@ jobs:
   # Build image and generate SBOM
   # ---------------------------------------------------------------
   scan:
-    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
+    needs: ci-decision
+    if: needs.ci-decision.outputs.run-full-ci == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft)
     name: Security Scan
     runs-on: ubuntu-latest
     timeout-minutes: 30
@@ -152,7 +160,8 @@ jobs:
           retention-days: 30
 
   rust-enabled-build:
-    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
+    needs: ci-decision
+    if: needs.ci-decision.outputs.run-full-ci == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft)
     name: Rust-enabled container smoke
     runs-on: ubuntu-latest
     timeout-minutes: 60
diff --git a/.github/workflows/helm-publish.yml b/.github/workflows/helm-publish.yml
@@ -42,15 +42,19 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
+  actions: read
   contents: read
 
 jobs:
-  # -----------------------------------------------------------------------
-  # Lint – always runs to catch chart issues early
-  # -----------------------------------------------------------------------
+  ci-decision:
+    uses: ./.github/workflows/secret-baseline-ci-decision.yml
+    with:
+      workflow-file: helm-publish.yml
+
   lint:
     name: Lint chart
-    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
+    needs: ci-decision
+    if: needs.ci-decision.outputs.run-full-ci == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft)
     runs-on: ubuntu-slim
     timeout-minutes: 10
 
diff --git a/.github/workflows/license-check.yml b/.github/workflows/license-check.yml
@@ -21,11 +21,18 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
+  actions: read
   contents: read
 
 jobs:
+  ci-decision:
+    uses: ./.github/workflows/secret-baseline-ci-decision.yml
+    with:
+      workflow-file: license-check.yml
+
   license-check:
-    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
+    needs: ci-decision
+    if: needs.ci-decision.outputs.run-full-ci == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft)
     runs-on: ubuntu-latest
     timeout-minutes: 20
     steps:
diff --git a/.github/workflows/lint-web.yml b/.github/workflows/lint-web.yml
@@ -25,11 +25,18 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
+  actions: read
   contents: read
 
 jobs:
+  ci-decision:
+    uses: ./.github/workflows/secret-baseline-ci-decision.yml
+    with:
+      workflow-file: lint-web.yml
+
   lint-web:
-    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
+    needs: ci-decision
+    if: needs.ci-decision.outputs.run-full-ci == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft)
     strategy:
       fail-fast: false
       matrix:
@@ -139,7 +146,8 @@ jobs:
   # 🐍 Python-based JS Security Scanner (separate job)
   # -------------------------------------------------------
   nodejsscan:
-    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
+    needs: ci-decision
+    if: needs.ci-decision.outputs.run-full-ci == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft)
     name: nodejsscan
     runs-on: ubuntu-latest
     timeout-minutes: 20
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -24,6 +24,7 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
+  actions: read
   contents: read
 
 # Keep these pins in lockstep with the *_VERSION variables in the Makefile.
@@ -40,11 +41,14 @@ env:
   TOMLCHECK_VERSION: "0.2.3"
 
 jobs:
-  # ---------------------------------------------------------------
-  # Python linters - run on both mcpgateway/ and plugins/
-  # ---------------------------------------------------------------
+  ci-decision:
+    uses: ./.github/workflows/secret-baseline-ci-decision.yml
+    with:
+      workflow-file: lint.yml
+
   python-lint:
-    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
+    needs: ci-decision
+    if: needs.ci-decision.outputs.run-full-ci == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft)
     strategy:
       fail-fast: false
       matrix:
@@ -97,7 +101,8 @@ jobs:
   # Repo-wide syntax/format checkers (run once, not per-target)
   # ---------------------------------------------------------------
   syntax-check:
-    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
+    needs: ci-decision
+    if: needs.ci-decision.outputs.run-full-ci == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft)
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/linting-full.yml b/.github/workflows/linting-full.yml
@@ -20,11 +20,18 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
+  actions: read
   contents: read
 
 jobs:
+  ci-decision:
+    uses: ./.github/workflows/secret-baseline-ci-decision.yml
+    with:
+      workflow-file: linting-full.yml
+
   linting-full:
-    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
+    needs: ci-decision
+    if: needs.ci-decision.outputs.run-full-ci == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft)
     name: linting-full
     runs-on: ubuntu-slim
     timeout-minutes: 30
diff --git a/.github/workflows/playwright.yml b/.github/workflows/playwright.yml
@@ -12,15 +12,22 @@ on:
   workflow_dispatch:
 
 permissions:
+  actions: read
   contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
+  ci-decision:
+    uses: ./.github/workflows/secret-baseline-ci-decision.yml
+    with:
+      workflow-file: playwright.yml
+
   playwright-ci-smoke:
-    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
+    needs: ci-decision
+    if: needs.ci-decision.outputs.run-full-ci == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft)
     name: playwright-ci-smoke
     runs-on: ubuntu-24.04
     timeout-minutes: 40
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -1,6 +1,10 @@
 name: Pre-commit Checks
 
 on:
+  push:
+    branches: ["main"]
+    paths:
+      - ".secrets.baseline"
   pull_request:
     types: [opened, synchronize, ready_for_review]
     branches: ["main"]
@@ -24,14 +28,36 @@ jobs:
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           persist-credentials: false
-          fetch-depth: 0
+          repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }}
+          fetch-depth: 2
+          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
+
+      - name: Detect secrets-baseline-only latest commit
+        id: baseline_only
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          # Secrets-detection-only allowlist. Keep this narrow.
+          # A baseline-only commit changes exactly:
+          #   .secrets.baseline
+          target_sha="${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}"
+          changed_files="$(git diff-tree --no-commit-id --name-only -r "${target_sha}")"
+          if [[ "${changed_files}" == ".secrets.baseline" ]]; then
+            echo "value=true" >> "${GITHUB_OUTPUT}"
+            echo "Latest commit only changes .secrets.baseline; running detect-secrets validation only."
+          else
+            echo "value=false" >> "${GITHUB_OUTPUT}"
+            echo "Latest commit is not secrets-baseline-only; running full pre-commit."
+          fi
 
       - name: Set up Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: "3.12"
 
       - name: Set up Go
+        if: steps.baseline_only.outputs.value != 'true'
         uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
         with:
           go-version: "1.25.x"
@@ -40,4 +66,9 @@ jobs:
         uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
 
       - name: Run pre-commit
+        if: steps.baseline_only.outputs.value != 'true'
         run: make --no-print-directory pre-commit
+
+      - name: Run detect-secrets validation
+        if: steps.baseline_only.outputs.value == 'true'
+        run: make --no-print-directory detect-secrets-hook
diff --git a/.github/workflows/pytest-rust.yml b/.github/workflows/pytest-rust.yml
@@ -28,11 +28,18 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
+  actions: read
   contents: read
 
 jobs:
+  ci-decision:
+    uses: ./.github/workflows/secret-baseline-ci-decision.yml
+    with:
+      workflow-file: pytest-rust.yml
+
   test:
-    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
+    needs: ci-decision
+    if: needs.ci-decision.outputs.run-full-ci == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft)
     name: pytest-rust
     runs-on: ubuntu-latest
     timeout-minutes: 40
diff --git a/.github/workflows/pytest.yml b/.github/workflows/pytest.yml
@@ -31,11 +31,18 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
+  actions: read
   contents: read
 
 jobs:
+  ci-decision:
+    uses: ./.github/workflows/secret-baseline-ci-decision.yml
+    with:
+      workflow-file: pytest.yml
+
   test:
-    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
+    needs: ci-decision
+    if: needs.ci-decision.outputs.run-full-ci == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft)
     name: pytest (py${{ matrix.python }})
     runs-on: ubuntu-latest
     timeout-minutes: 40
diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml
@@ -19,11 +19,18 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
+  actions: read
   contents: read
 
 jobs:
+  ci-decision:
+    uses: ./.github/workflows/secret-baseline-ci-decision.yml
+    with:
+      workflow-file: python-package.yml
+
   build-package:
-    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
+    needs: ci-decision
+    if: needs.ci-decision.outputs.run-full-ci == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft)
     runs-on: ubuntu-slim
     timeout-minutes: 20
 
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
diff --git a/.github/workflows/secret-baseline-ci-decision.yml b/.github/workflows/secret-baseline-ci-decision.yml
diff --git a/.github/workflows/sql-sanitizer.yml b/.github/workflows/sql-sanitizer.yml
diff --git a/.github/workflows/vitest.yml b/.github/workflows/vitest.yml
diff --git a/.github/workflows/wrapper.yml b/.github/workflows/wrapper.yml
