chore: skip full CI for secrets baseline commits#5012
Open
lucarlig wants to merge 1 commit into
Open
Conversation
lucarlig
force-pushed
the
user/luca/secret-baseline-ci-guard
branch
15 times, most recently
from
3c0bea8 to
7b73908
Compare
lucarlig
requested review from
Lang-Akshay,
brian-hussey,
crivetimihai,
dawid-nowak and
ja8zyjits
as code owners
lucarlig
force-pushed
the
user/luca/secret-baseline-ci-guard
branch
from
e90ea14 to
737fcad
Compare
This was referenced Jun 4, 2026
lucarlig
dismissed stale reviews from brian-hussey and madhu-mohan-jaishankar
via
8586a57
lucarlig
force-pushed
the
user/luca/secret-baseline-ci-guard
branch
from
737fcad to
8586a57
Compare
Signed-off-by: lucarlig <luca.carlig@ibm.com>
lucarlig
force-pushed
the
user/luca/secret-baseline-ci-guard
branch
from
8586a57 to
2ce130b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🔗 Related Issue
Closes #4953
📝 Summary
Adds a shared CI decision script for secrets-baseline-only latest commits. Full CI is skipped only when the latest commit modifies only
.secrets.baselineand the parent commit already has a successful run for the same workflow and event.The PR workflows that fired in validation now gate their heavy jobs on that decision. Pre-commit still runs detect-secrets validation on the fast path, while Tests & Coverage, Rust CI, Build Python Package, and Vitest skip their heavy jobs after a completed parent run.
🏷️ Type of Change
🧪 Verification
uv run pytest tests/unit/test_secret_baseline_ci_decision_workflow.py -qruby -e 'require "yaml"; ARGV.each { |f| YAML.load_file(f) }; puts "yaml ok"' .github/workflows/*.ymlactionlint -shellcheck= .github/workflows/*.ymlgit diff --check origin/mainmake --no-print-directory detect-secrets-hookact pull_request -W .github/workflows/pre-commit.yml -j ci-decision ...git commit -s✅ Checklist
make black isort pre-commit)📓 Notes (optional)
The secrets-detection-only allowlist is intentionally narrow: one modified
.secrets.baselinefile.GitHub CI validation proof
Dummy PRs were opened with
do-not-merge, used only to validate this CI behavior, then closed after verification:.secrets.baseline-only commit ran the target workflow because the parent commit had no completed CI..secrets.baseline-only commit passed and ran onlymake --no-print-directory detect-secrets-hook..secrets.baseline-only commit ran full pytest..secrets.baseline-only commit skipped pytest after the CI decision job passed..secrets.baseline-only commit ran the package build..secrets.baseline-only commit skippedbuild-packageafter the CI decision job passed..secrets.baseline-only commit ran Vitest..secrets.baseline-only commit skipped Vitest after the CI decision job passed..secrets.baseline-only commit ran full Rust CI..secrets.baseline-only commit skipped Rust heavy jobs after the CI decision job passed.