Skip to content

Gate CI test jobs via change scanning instead of workflow-level paths-ignore#8979

Open
SID-6921 wants to merge 2 commits into
Project-MONAI:devfrom
SID-6921:ci-gate-tests-by-change-scan-8971
Open

Gate CI test jobs via change scanning instead of workflow-level paths-ignore#8979
SID-6921 wants to merge 2 commits into
Project-MONAI:devfrom
SID-6921:ci-gate-tests-by-change-scan-8971

Conversation

@SID-6921

@SID-6921 SID-6921 commented Jul 3, 2026

Copy link
Copy Markdown

Summary

  • remove workflow-level paths-ignore from cicd_tests.yml so required CI checks always register on PRs
  • add a lightweight changes job that computes whether non-doc files changed
  • gate heavy CI jobs (static-checks, min-dep, ull-dep, packaging) on
    eeds.changes.outputs.run_tests

Why

Workflow-level paths-ignore can prevent required checks from appearing at all for doc-only PRs, which blocks mergeability. With this change, checks are always created, and heavy jobs are skipped only when changes are docs-only.

Change Detection Logic

  • treats docs/**, *.md, and *.rst as documentation-only changes
  • runs tests when any other file changes
  • handles both pull_request and push events

Related: #8971

Signed-off-by: SID <nandasiddhardha@gmail.com>
@SID-6921 SID-6921 requested a review from KumoLiu as a code owner July 3, 2026 06:00
Copilot AI review requested due to automatic review settings July 3, 2026 06:00
@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 05374070-719c-44e2-8b63-5c6cbb66ddfe

📥 Commits

Reviewing files that changed from the base of the PR and between 69ba220 and e602050.

📒 Files selected for processing (1)
  • .github/workflows/cicd_tests.yml
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/cicd_tests.yml

📝 Walkthrough

Walkthrough

Changes

File Change Summary
.github/workflows/cicd_tests.yml Removed doc-only paths-ignore filtering; added a changes job that computes run_tests; gated static-checks, min-dep, full-dep, and packaging on that output.

Estimated code review effort: 2 (Simple) | ~10 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Trigger
  participant changes
  participant static-checks
  participant min-dep
  participant full-dep
  participant packaging
  Trigger->>changes: start workflow
  changes->>changes: inspect changed files and set run_tests
  changes->>static-checks: run_tests output
  changes->>min-dep: run_tests output
  changes->>full-dep: run_tests output
  changes->>packaging: run_tests output
Loading

Related Issues: None specified.

Related PRs: None specified.

Suggested labels: ci, github-actions

Suggested reviewers: CI maintainers

Poem
Docs alone take a quieter path,
Changed files now choose the CI math.
If code is touched, the jobs proceed,
If not, the workflow meets the need.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description is relevant but misses the required template fields and checkbox section. Add the Fixes #... line and the Types of changes checklist, and align the wording with the repository template.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly states the CI gating change and matches the workflow update.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the main CI workflow to avoid workflow-level paths-ignore (which can prevent required checks from registering), and instead introduces a “changes” pre-job that decides whether to run heavy CI based on whether any non-documentation files changed.

Changes:

  • Remove workflow-level paths-ignore from .github/workflows/cicd_tests.yml so checks always register on PRs.
  • Add a changes job that computes a run_tests output by diffing changed files and treating docs/**, *.md, and *.rst as docs-only.
  • Gate heavy jobs (static-checks, min-dep, full-dep, packaging) on needs.changes.outputs.run_tests.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/cicd_tests.yml Outdated
Comment on lines +61 to +64
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
base_ref="origin/${{ github.base_ref }}"
git fetch origin "${{ github.base_ref }}" --depth=1
changed_files=$(git diff --name-only "$base_ref"..."${{ github.sha }}")
Comment on lines +52 to +54
- uses: actions/checkout@v6
with:
fetch-depth: 0

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/cicd_tests.yml:
- Around line 52-54: The read-only checkout in the workflow still persists Git
credentials, which is unnecessary for this job. Update the actions/checkout step
in the CI workflow to explicitly disable credential persistence by setting
persist-credentials to false alongside fetch-depth, so the checkout does not
store the token in git config.
- Around line 47-51: The changes job in the workflow is missing an explicit
permissions block, so it inherits broader default GITHUB_TOKEN access than
needed. Add a least-privilege permissions setting to the changes job itself,
keeping only the read access required for diffing repository files. Update the
job definition near the changes and steps keys so the permissions are scoped
directly to that job.
- Around line 61-72: The PR diff in the workflow step is interpolating
github.base_ref directly into the shell script, which triggers
template-injection concerns. Update the changed-files logic to pass
github.base_ref into the step via env and read it as a shell variable inside the
script instead of embedding it in base_ref assignment and git fetch. Keep the
existing behavior in the pull_request branch, but ensure both the base_ref
calculation and fetch call use the env-backed variable rather than a GitHub
expression.
- Around line 58-84: The changes-detection step in cicd_tests.yml can fail
closed under set -euo pipefail when git fetch or git diff errors, which prevents
the changes job from setting a safe default. Update the shell logic around the
changed_files computation so any diff-detection failure in the current changes
job path falls back to run_tests=true instead of exiting, and add a timeout to
the fetch/diff operation; keep the fix localized to the workflow step that uses
github.event_name, git fetch, git diff, and the run_tests output.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ab8d4120-9cd5-4085-878c-b868b0a749c5

📥 Commits

Reviewing files that changed from the base of the PR and between 5be3db9 and 69ba220.

📒 Files selected for processing (1)
  • .github/workflows/cicd_tests.yml

Comment thread .github/workflows/cicd_tests.yml
Comment thread .github/workflows/cicd_tests.yml
Comment on lines +58 to +84
run: |
set -euo pipefail

if [[ "${{ github.event_name }}" == "pull_request" ]]; then
base_ref="origin/${{ github.base_ref }}"
git fetch origin "${{ github.base_ref }}" --depth=1
changed_files=$(git diff --name-only "$base_ref"..."${{ github.sha }}")
else
before="${{ github.event.before }}"
if [[ -z "$before" || "$before" == "0000000000000000000000000000000000000000" ]]; then
echo "run_tests=true" >> "$GITHUB_OUTPUT"
exit 0
fi
changed_files=$(git diff --name-only "$before"..."${{ github.sha }}")
fi

run_tests=false
while IFS= read -r file; do
[[ -z "$file" ]] && continue
if [[ "$file" == docs/* || "$file" == *.md || "$file" == *.rst ]]; then
continue
fi
run_tests=true
break
done <<< "$changed_files"

echo "run_tests=$run_tests" >> "$GITHUB_OUTPUT"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

git ls-files .github/workflows && echo '---' && sed -n '1,220p' .github/workflows/cicd_tests.yml

Repository: Project-MONAI/MONAI

Length of output: 8407


🌐 Web query:

GitHub Actions skipped job required status check branch protection treated as success or failure

💡 Result:

GitHub treats a skipped job as a successful status for the purposes of branch protection [1][2][3]. When a job is skipped—for example, due to a conditional if expression—it reports its status as "Success," meaning it will not block a pull request from merging even if that job is configured as a required status check [1][2][4]. However, the behavior differs depending on why the job was skipped: 1. Job-level conditionals: If a job within a workflow is skipped because its if condition evaluated to false, it is treated as a success [5][2]. This can lead to unintended results if you rely on that job to validate your code [6]. 2. Workflow-level filtering: If an entire workflow is skipped due to path filtering, branch filtering, or a commit message, the associated checks will remain in a "Pending" state [7][2][8]. Because they never report a status, they will block the pull request from merging if they are configured as required [7][2][8]. 3. Dependency chains: If a job is skipped because a prerequisite job failed, it is also treated as a success [6][2]. To prevent this, you can use the always() conditional expression in your job's if field to ensure the job runs (and reports a failure) even if its dependencies failed [6][2][8]. For required checks that depend on conditions, it is generally recommended to avoid using path or branch filtering if the workflow is required for merging [8]. Instead, consider using the always() function to ensure that downstream jobs explicitly report a failure status if required upstream tasks do not succeed [6][2].

Citations:


🏁 Script executed:

rg -n "needs: changes|timeout-minutes:|if: needs\.changes\.outputs\.run_tests" .github/workflows/cicd_tests.yml

Repository: Project-MONAI/MONAI

Length of output: 520


Fail open when diff detection breaks .github/workflows/cicd_tests.yml:58-84
git fetch/git diff under set -euo pipefail can fail the changes job, which skips every needs: changes test job. Skipped required checks pass, so a transient diff error can let untested changes merge. Default run_tests=true on diff failures and add a timeout.

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 47-84: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block

(excessive-permissions)


[error] 62-62: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[error] 63-63: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/cicd_tests.yml around lines 58 - 84, The changes-detection
step in cicd_tests.yml can fail closed under set -euo pipefail when git fetch or
git diff errors, which prevents the changes job from setting a safe default.
Update the shell logic around the changed_files computation so any
diff-detection failure in the current changes job path falls back to
run_tests=true instead of exiting, and add a timeout to the fetch/diff
operation; keep the fix localized to the workflow step that uses
github.event_name, git fetch, git diff, and the run_tests output.

Comment thread .github/workflows/cicd_tests.yml Outdated
…ars for template injection safety, fail-open on diff errors

Signed-off-by: SID <nandasiddhardha@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants