ci: Introduce <backend|sphinx> jobs as "all green" required jobs (#1514)

Some changes to prepare the setup of the GH merge queue, for which we
need to specify the jobs required to succeed:

- Set filenames as workflow/job names to avoid confusion,
- Add `backend` job that can be used as required 🟢 job,
- Add `sphinx` job that can be used as required 🟢 job,
- Add explicit restricted permissions to the `sphinx` workflow (no
worries, they were already restricted to read-only).

---

For a job to be required, its **workflow** has to be executed and not
skipped.
Before this PR, we skipped entire workflow via path filtering, which is
incompatible with "required jobs".


https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/collaborating-on-repositories-with-code-quality-features/troubleshooting-required-status-checks#handling-skipped-but-required-checks


![image](https://github.com/user-attachments/assets/a48bab3f-c361-4a55-b933-9cf94057f26c)

Now we always execute workflows, but skip jobs individually based on
modified files.

Author: thomass-dev

.github/workflows/backend.yml

@@ -2,9 +2,6 @@ name: backend
 
 on:
   pull_request:
-    paths:
-      - '.github/workflows/backend.yml'
-      - 'skore/**'
   push:
     branches:
       - main
@@ -15,22 +12,44 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  contents: read
+permissions: {}
 
 defaults:
   run:
     shell: "bash"
 
 jobs:
+  backend-changes:
+    runs-on: ubuntu-latest
+    outputs:
+      changes: ${{ steps.filter.outputs.backend }}
+    permissions:
+      pull-requests: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Define if at least one file has changed
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+        id: filter
+        with:
+          filters: |
+            backend:
+              - '.github/workflows/backend.yml'
+              - 'skore/**'
+
   backend-lint:
     runs-on: "ubuntu-latest"
+    needs: [backend-changes]
+    if: ${{ (github.event_name == 'push') || (needs.backend-changes.outputs.changes == 'true') }}
+    permissions:
+      contents: read
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
         with:
           python-version: "3.12"
           cache: pip
@@ -46,10 +65,13 @@ jobs:
 
   backend-lockfiles:
     runs-on: "ubuntu-latest"
-    if: ${{ github.event_name == 'pull_request' }}
+    needs: [backend-changes]
+    if: ${{ (contains(fromJSON('["pull_request", "merge_group"]'), github.event_name)) && (needs.backend-changes.outputs.changes == 'true') }}
+    permissions:
+      contents: read
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 2
 
@@ -66,6 +88,8 @@ jobs:
           fi
 
   backend-test:
+    needs: [backend-changes]
+    if: ${{ (github.event_name == 'push') || (needs.backend-changes.outputs.changes == 'true') }}
     strategy:
       fail-fast: false
       matrix:
@@ -84,20 +108,22 @@ jobs:
             scikit-learn: "1.6"
             coverage: true
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
         id: setup-python
         with:
           python-version: ${{ matrix.python }}
           check-latest: True
           cache: pip
 
       - name: Restore python-venv
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         id: cache-python-venv
         with:
           path: 'skore/venv'
@@ -132,7 +158,7 @@ jobs:
           python -m pip install --requirement test-requirements.txt
 
       - name: Save python-venv
-        uses: actions/cache/save@v4
+        uses: actions/cache/save@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         if: steps.cache-python-venv.outputs.cache-hit != 'true'
         with:
           path: 'skore/venv'
@@ -148,8 +174,7 @@ jobs:
 
       - name: Show dependencies versions
         working-directory: skore/
-        run: |
-          python -c "import skore; skore.show_versions()"
+        run: python -c 'import skore; skore.show_versions()'
 
       - name: Test without coverage
         if: ${{ ! matrix.coverage }}
@@ -167,7 +192,20 @@ jobs:
 
       - name: Upload coverage reports
         if: ${{ matrix.coverage && (github.event_name == 'pull_request') }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: backend-coverage
           path: skore/coverage/
+
+  backend:
+    needs:
+      - backend-changes
+      - backend-lint
+      - backend-lockfiles
+      - backend-test
+    if: ${{ always() }}
+    runs-on: Ubuntu-latest
+    steps:
+      - shell: bash
+        run: |
+          [[  ${{ contains(needs.*.result, 'failure') }} = false ]]

.github/workflows/pr-add-assignee.yml

@@ -1,4 +1,4 @@
-name: add assignee in PR
+name: pr-add-assignee
 
 on:
   pull_request_target:
@@ -7,7 +7,7 @@ on:
 permissions: {}
 
 jobs:
-  add-assignee:
+  pr-add-assignee:
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write

.github/workflows/pr-cleanup.yml

@@ -1,4 +1,4 @@
-name: cleanup PR
+name: pr-cleanup
 
 on:
   pull_request_target:
@@ -11,7 +11,7 @@ defaults:
     shell: "bash"
 
 jobs:
-  clean-artifacts:
+  pr-clean-artifacts:
     if: always()
     runs-on: ubuntu-latest
     permissions:
@@ -55,7 +55,7 @@ jobs:
           HEAD_REPOSITORY_ID: ${{ github.event.pull_request.head.repo.id }}
           HEAD_BRANCH: ${{ github.head_ref }}
 
-  clean-documentation-preview:
+  pr-clean-documentation-preview:
     if: always()
     runs-on: ubuntu-latest
     steps:

.github/workflows/pr-display-backend-coverage.yml

@@ -1,4 +1,4 @@
-name: display backend coverage in PR
+name: pr-display-backend-coverage
 
 on:
   workflow_run:
@@ -12,7 +12,7 @@ concurrency:
 permissions: {}
 
 jobs:
-  display-backend-coverage:
+  pr-display-backend-coverage:
     if: ${{ github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' }}
     runs-on: ubuntu-latest
     permissions:

.github/workflows/pr-lint-title.yml

@@ -1,4 +1,4 @@
-name: lint title in PR
+name: pr-lint-title
 
 on:
   pull_request:
@@ -8,7 +8,7 @@ permissions:
   pull-requests: read
 
 jobs:
-  lint-title:
+  pr-lint-title:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/setup-node@v4

.github/workflows/pr-serve-documentation-preview.yml

@@ -1,4 +1,4 @@
-name: serve documentation preview in PR
+name: pr-serve-documentation-preview
 
 on:
   workflow_run:
@@ -12,7 +12,7 @@ concurrency:
 permissions: {}
 
 jobs:
-  serve-documentation-preview:
+  pr-serve-documentation-preview:
     if: ${{ github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' }}
     runs-on: ubuntu-latest
     permissions:

.github/workflows/sphinx.yml

@@ -48,21 +48,9 @@ name: sphinx
 
 on:
   pull_request:
-    paths:
-      - '.github/actions/sphinx/**'
-      - '.github/workflows/sphinx.yml'
-      - 'examples/**'
-      - 'sphinx/**'
-      - 'skore/**'
   push:
     branches:
       - main
-    paths:
-      - '.github/actions/sphinx/**'
-      - '.github/workflows/sphinx.yml'
-      - 'examples/**'
-      - 'sphinx/**'
-      - 'skore/**'
   release:
     types: [released]
   merge_group:
@@ -72,9 +60,35 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
+  sphinx-changes:
+    runs-on: ubuntu-latest
+    outputs:
+      changes: ${{ steps.filter.outputs.sphinx }}
+    permissions:
+      pull-requests: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Define if at least one file has changed
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+        id: filter
+        with:
+          filters: |
+            sphinx:
+              - '.github/actions/sphinx/**'
+              - '.github/workflows/sphinx.yml'
+              - 'examples/**'
+              - 'sphinx/**'
+              - 'skore/**'
+
   sphinx-version:
     runs-on: ubuntu-latest
+    needs: [sphinx-changes]
+    if: ${{ (contains(fromJSON('["push", "release"]'), github.event_name)) || (needs.sphinx-changes.outputs.changes == 'true') }}
     outputs:
       SPHINX_VERSION: ${{ steps.sphinx-version.outputs.SPHINX_VERSION }}
       SPHINX_RELEASE: ${{ steps.sphinx-version.outputs.SPHINX_RELEASE }}
@@ -99,12 +113,15 @@ jobs:
 
   sphinx-build:
     runs-on: ubuntu-latest
-    needs: sphinx-version
+    needs: [sphinx-version]
+    if: ${{ (contains(fromJSON('["push", "release"]'), github.event_name)) || (needs.sphinx-changes.outputs.changes == 'true') }}
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           lfs: 'true'
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
         with:
           python-version: '3.12'
           cache: 'pip'
@@ -114,21 +131,25 @@ jobs:
           SPHINX_VERSION: ${{ needs.sphinx-version.outputs.SPHINX_VERSION }}
           SPHINX_RELEASE: ${{ needs.sphinx-version.outputs.SPHINX_RELEASE }}
           SPHINX_DOMAIN: ${{ vars.DOCUMENTATION_DOMAIN }}
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: sphinx-html-artifact
           path: sphinx/build/html/
 
   sphinx-deploy-html:
-    if: ${{ (github.event_name == 'release') || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
+    if: ${{ (contains(fromJSON('["push", "release"]'), github.event_name)) }}
     runs-on: ubuntu-latest
     needs: [sphinx-version, sphinx-build]
+    permissions:
+      contents: read
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          sparse-checkout: .github
 
       - name: Download HTML artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           name: sphinx-html-artifact
           path: html/
@@ -145,8 +166,12 @@ jobs:
     if: ${{ github.event_name == 'release' }}
     runs-on: ubuntu-latest
     needs: [sphinx-version, sphinx-build, sphinx-deploy-html]
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          sparse-checkout: .github
       - shell: python
         run: |
             import os
@@ -239,6 +264,21 @@ jobs:
     if: ${{ always() && (github.event_name != 'pull_request') }}
     needs: [sphinx-version, sphinx-build, sphinx-deploy-html, sphinx-deploy-root-files]
     steps:
-      - uses: geekyeggo/delete-artifact@v5
+      - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
         with:
           name: sphinx-html-artifact
+
+  sphinx:
+    needs:
+      - sphinx-changes
+      - sphinx-version
+      - sphinx-build
+      - sphinx-deploy-html
+      - sphinx-deploy-root-files
+      - sphinx-clean-artifacts
+    if: ${{ always() }}
+    runs-on: Ubuntu-latest
+    steps:
+      - shell: bash
+        run: |
+          [[  ${{ contains(needs.*.result, 'failure') }} = false ]]