77 pull_request :
88 branches :
99 - main
10+ paths :
11+ - ' src/**'
12+ - ' Cargo.toml'
13+ - ' Cargo.lock'
14+ - ' Dockerfile*'
15+ - ' .github/workflows/build.yaml'
16+ - ' .github/actions/**'
1017 push :
1118 branches :
1219 - main
3643jobs :
3744
3845 # ─────────────────────────────────────────────────────────────────────────────
39- # PR only: determine which files changed so expensive jobs can be skipped on
40- # docs-only pull requests.
41- # ─────────────────────────────────────────────────────────────────────────────
42- changes :
43- name : 🔍 Detect Changed Files
44- if : github.event_name == 'pull_request'
45- runs-on : ubuntu-latest
46- outputs :
47- code : ${{ steps.filter.outputs.code }}
48- steps :
49- - name : Checkout code
50- uses : actions/checkout@v4
51-
52- - name : Check for changes
53- id : filter
54- uses : dorny/paths-filter@v3
55- with :
56- filters : |
57- code:
58- - 'src/**'
59- - 'Cargo.toml'
60- - 'Cargo.lock'
61-
62- # ─────────────────────────────────────────────────────────────────────────────
63- # License headers — on PR only runs when source files changed.
46+ # License headers — always runs (PRs are pre-filtered by path at the trigger).
6447 # ─────────────────────────────────────────────────────────────────────────────
6548 license-check :
6649 name : ⚖️ Verify SPDX License Headers
6750 runs-on : ubuntu-latest
68- needs : [changes]
69- if : |
70- always() &&
71- (github.event_name != 'pull_request' || needs.changes.outputs.code == 'true')
7251 steps :
7352 - name : Checkout code
7453 uses : actions/checkout@v4
8564 verify-commits :
8665 name : 🔐 Verify Signed Commits
8766 runs-on : ubuntu-latest
88- needs : [changes]
89- if : always()
9067 steps :
9168 - name : Checkout code
9269 uses : actions/checkout@v4
@@ -156,19 +133,13 @@ jobs:
156133 run : cargo clippy --all-targets --all-features -- -D warnings
157134
158135 # ─────────────────────────────────────────────────────────────────────────────
159- # Extract version — all events; acts as the quality gate that downstream jobs
160- # wait on. workflow-type is derived from the GitHub event name .
136+ # Extract version — all events; downstream build jobs depend on this.
137+ # format/clippy are independent PR quality checks and do not gate the build .
161138 # ─────────────────────────────────────────────────────────────────────────────
162139 extract-version :
163140 name : 🏷️ Extract Version Information
164141 runs-on : ubuntu-latest
165- needs : [license-check, verify-commits, format]
166- # Run once all checks that apply to this event have passed or been skipped.
167- if : |
168- always() &&
169- needs.verify-commits.result == 'success' &&
170- (needs.license-check.result == 'success' || needs.license-check.result == 'skipped') &&
171- (needs.format.result == 'success' || needs.format.result == 'skipped')
142+ needs : [license-check, verify-commits]
172143 outputs :
173144 version : ${{ steps.version-chainguard.outputs.version }}
174145 tag_name : ${{ steps.version-chainguard.outputs.tag-name }}
@@ -209,7 +180,6 @@ jobs:
209180 name : 🦀 Build - ${{ matrix.platform.name }}
210181 runs-on : ${{ matrix.platform.runner }}
211182 needs : [extract-version]
212- if : needs.extract-version.result == 'success'
213183 strategy :
214184 fail-fast : false
215185 matrix :
@@ -272,11 +242,10 @@ jobs:
272242 target/release/*.cdx.json
273243
274244 # ─────────────────────────────────────────────────────────────────────────────
275- # PR only: run tests against the pre-built binary .
245+ # Tests — all events; running unconditionally lets docker depend on it simply .
276246 # ─────────────────────────────────────────────────────────────────────────────
277247 test :
278248 name : 🧪 Test
279- if : github.event_name == 'pull_request'
280249 runs-on : ubuntu-latest
281250 needs : [build]
282251 steps :
@@ -310,12 +279,6 @@ jobs:
310279 name : 🐳 Build and Push Docker Image - ${{ matrix.variant.name }}
311280 runs-on : ubuntu-latest
312281 needs : [build, extract-version, test]
313- # Allow test to be skipped (push / release) but require build to succeed.
314- if : |
315- always() &&
316- needs.build.result == 'success' &&
317- needs.extract-version.result == 'success' &&
318- (needs.test.result == 'success' || needs.test.result == 'skipped')
319282 permissions :
320283 contents : read
321284 packages : write
@@ -462,7 +425,6 @@ jobs:
462425 name : 🔏 Attest Docker Image - ${{ matrix.variant.name }}
463426 runs-on : ubuntu-latest
464427 needs : [docker, extract-version]
465- if : needs.docker.result == 'success'
466428 permissions :
467429 id-token : write
468430 attestations : write
@@ -499,11 +461,7 @@ jobs:
499461 security :
500462 name : 🛡️ Security Vulnerability Scan
501463 runs-on : ubuntu-latest
502- needs : [changes, license-check, verify-commits]
503- if : |
504- always() &&
505- needs.verify-commits.result == 'success' &&
506- (github.event_name != 'pull_request' || needs.changes.outputs.code == 'true')
464+ needs : [verify-commits]
507465 steps :
508466 - name : Checkout code
509467 uses : actions/checkout@v4
@@ -529,17 +487,12 @@ jobs:
529487 run : make gitleaks
530488
531489 # ─────────────────────────────────────────────────────────────────────────────
532- # Container security scan — push and release only (not PRs) .
490+ # Container security scan — all events .
533491 # ─────────────────────────────────────────────────────────────────────────────
534492 trivy :
535493 name : 🔭 Container Security Scan - ${{ matrix.variant.name }}
536494 runs-on : ubuntu-latest
537495 needs : [docker, extract-version]
538- if : |
539- always() &&
540- github.event_name != 'pull_request' &&
541- needs.docker.result == 'success' &&
542- needs.extract-version.result == 'success'
543496 strategy :
544497 fail-fast : false
545498 matrix :
0 commit comments