chore(ci): Add path filters and concurrency groups to reduce Actions minutes

[bjcoombs]

Summary

Reduce GitHub Actions minute consumption by adding path filters and concurrency groups to 9 workflows. Current usage: 316k minutes in 90 days (~58 hrs/day of CI time on free runners).

Changes

Path filters added (skip workflows when irrelevant files change)

Workflow	Trigger scope	Paths
test.yml	Go tests (3 shards)	**.go, go.mod, go.sum, api/proto/**, buf.gen.yaml, Makefile
build.yml	Docker build	**.go, go.mod, go.sum, Dockerfile, api/proto/**, buf.gen.yaml
quality.yml	Lint (Go, shell, Tilt)	**.go, go.mod, go.sum, **.sh, Tiltfile, api/proto/**, .golangci.yml
proto.yml	Proto lint + breaking	api/proto/**, buf.yaml, buf.gen.yaml, buf.lock
markdown.yml	Markdown lint	**.md, .markdownlint-cli2.jsonc, package.json
saga-validation.yml	Push trigger (PR already had paths)	Same paths as existing PR trigger

Concurrency groups added (cancel superseded runs)

Workflow	Cancel policy
proto.yml	Always cancel in-progress
markdown.yml	Always cancel in-progress
saga-validation.yml	Always cancel in-progress
e2e.yml	Always cancel in-progress
codeql.yml	Cancel on PRs only (preserve scheduled/push runs)
security.yml	Cancel on PRs only (preserve scheduled/push runs)

Not changed (intentionally)

• codeql.yml / security.yml: No path filters — security scanning should always run on every change
• claude-review.yml / claude.yml: Already scoped appropriately
• nightly.yml / kafka-integration-tests.yml: Manual/scheduled only

Impact estimate

• test.yml is the biggest win: 3 parallel shards on every push, now skipped for docs/frontend/proto-only changes
• Concurrency groups prevent run stacking during marathon mode (4-5 teammates pushing simultaneously)
• No required status checks configured, so skipped workflows won't block merging

Risk

Low. Path filters are additive-only (no existing triggers removed). Each workflow includes its own .github/workflows/<name>.yml in paths so trigger changes are self-testing.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d4e63206-cb9d-40e6-a98b-6747dabed3fc

📥 Commits

Reviewing files that changed from the base of the PR and between e4501d4 and e159ab3.

📒 Files selected for processing (1)

• .github/workflows/build.yml

---

📝 Walkthrough

Walkthrough

Nine GitHub Actions workflow files were updated to add path-based triggers and/or concurrency blocks to control when workflows run and to manage cancellation of concurrent runs for push and pull_request events.

Changes

Cohort / File(s)	Summary
Path Filters for Workflows /.github/workflows/build.yml, /.github/workflows/quality.yml, /.github/workflows/test.yml	Added path-based triggers for push and pull_request to limit runs to relevant files (Go sources **/*.go, go.mod, go.sum, API proto files api/proto/**, buf.* files, Makefile, Dockerfile, and the workflow files themselves). No changes to jobs or steps.
Path Filters + Concurrency /.github/workflows/markdown.yml, /.github/workflows/proto.yml, /.github/workflows/saga-validation.yml	Added path-based triggers scoped to Markdown, proto, and saga-related files respectively, and introduced a concurrency block grouping runs by workflow and PR/ref with cancel-in-progress enabled for PR events.
Concurrency Management Only /.github/workflows/codeql.yml, /.github/workflows/e2e.yml, /.github/workflows/security.yml	Added a concurrency block using group `${{ github.workflow }}-${{ github.event.pull_request.number

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore(ci): Add path filters and concurrency groups to reduce Actions minutes' is clear, specific, and directly summarizes the main changes across the PR—adding path filters and concurrency groups to optimize CI.
Description check	✅ Passed	The description is detailed and highly relevant, explaining the rationale (high Actions minute consumption), specific workflows modified, the path filters and concurrency groups added, intentional omissions, and impact assessment.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch optimize-ci-minutes

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/build.yml:
- Around line 8-15: The workflow's paths filter under the "paths:" block omits
buf.yaml and buf.lock so changes to protobuf config/lock won't trigger the
build; update the paths list to include 'buf.yaml' and 'buf.lock' alongside the
existing entries (the same change should be applied where the duplicate paths
block appears) so edits that affect buf generate will correctly trigger the
workflow.

In @.github/workflows/quality.yml:
- Around line 6-15: The workflow's paths filter is missing Buf config files so
changes to buf.yaml/buf.lock won't trigger the quality job; update the paths
arrays in .github/workflows/quality.yml (the paths list entries shown around the
existing '**.go', 'go.mod', etc.) to include 'buf.yaml' and 'buf.lock' (and add
them to the second paths block referenced around lines 18-27) so that
modifications to Buf config/lockfiles will run the buf generate/lint checks.

In @.github/workflows/test.yml:
- Around line 6-13: Update the workflow path filters so changes to root-level
buf configuration trigger the job: add "buf.yaml" and "buf.lock" to the paths
list alongside the existing "buf.gen.yaml" and "api/proto/**". Locate the paths
block in the test workflow (the paths: list that currently includes '**.go',
'go.mod', 'go.sum', 'api/proto/**', 'buf.gen.yaml', 'Makefile',
'.github/workflows/test.yml') and insert 'buf.yaml' and 'buf.lock' so buf
generate runs will be triggered when those files change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e6a87f28-2a20-4566-9390-c53e536f828f

📥 Commits

Reviewing files that changed from the base of the PR and between 1718c49 and cf76be1.

📒 Files selected for processing (9)

• .github/workflows/build.yml
• .github/workflows/codeql.yml
• .github/workflows/e2e.yml
• .github/workflows/markdown.yml
• .github/workflows/proto.yml
• .github/workflows/quality.yml
• .github/workflows/saga-validation.yml
• .github/workflows/security.yml
• .github/workflows/test.yml

[claude]

Review complete. 1 inline suggestion plus bot thread assessment in summary comment.

[claude]

Claude Code Review

Commit: e159ab3 | CI: mostly passing (E2E shards, some CodeQL/security/test shards still pending)

Summary: Clean, well-scoped CI optimization. All previous review feedback (from both CodeRabbit and my earlier review) has been addressed across two follow-up commits. e4501d4 added buf.yaml, buf.lock, Makefile to path filters where workflows use buf generate or make. e159ab3 removed path filter from build.yml push trigger to protect tag-based releases -- smart fix for the tag push edge case I flagged. The changes are additive-only (no existing triggers removed), each workflow self-references its own YAML in paths (self-testing), and the author made deliberate choices about which workflows should NOT get path filters (security scanning).

Risk Assessment

Area	Level	Detail
Blast radius	Low	Worst case: a workflow skips when it should not, caught on next push
Rollback	Safe	Revert the commit, all workflows return to previous behavior
Scale	N/A	Reduces CI load, no runtime impact
Cross-system	Low	No required status checks configured, skipped workflows will not block merging
Migration	N/A	No database changes

Findings: No actionable findings remain. All items from the previous review have been addressed.

Bot Review Notes: All 3 CodeRabbit threads and both previous claude[bot] threads are resolved. CodeRabbit flagged buf.yaml/buf.lock missing from build, quality, test path filters -- fixed in e4501d4. claude[bot] flagged Makefile missing from build path filter -- fixed in e4501d4. claude[bot] flagged path filter on push trigger risks breaking tag releases -- fixed in e159ab3 by removing push path filter entirely.

Previously Flagged

Severity	Location	Description	Status
Improvement	build.yml	Missing Makefile in path filter	Resolved in e4501d4
Improvement	build.yml	Path filter on push risks breaking tag releases	Resolved in e159ab3

[claude]

Low-risk, well-structured CI optimization. One non-blocking suggestion about tag+paths interaction in build.yml. See summary comment for details.

Stale bot review — findings addressed

[claude]

All previous findings addressed. No new issues found. See summary comment for full details.