ci: gate workflows by changed paths

[donbeave]

Summary

Make heavy CI workflows path-aware so docs-only or otherwise unrelated changes do not run Rust, construct-image, or Homebrew-preview work. Each affected workflow keeps its push / pull_request / workflow_dispatch triggers (so the GitHub check list stays stable for branch protection), but gates expensive jobs on a small changes classifier job that delegates to dorny/paths-filter@v4.0.1 (SHA-pinned). Rust CI runs only when Rust inputs change (including build.rs and docker/runtime/**, both of which feed the compiled binary), construct-image builds run only when Docker inputs change, docs build/deploy runs only when docs change, and Homebrew preview publishing runs only when source inputs change on main. Manual workflow_dispatch short-circuits every classifier — operator runs always exercise the heavy job, regardless of which paths happened to change. The PR also bumps MISE_VERSION from 2026.5.1 to 2026.5.3 (the mise apt repo currently exposes only the latest stable, which broke the construct image build) and adds Renovate regex managers for docker/construct/versions.env. The MISE manager uses the deb datasource pointed at the apt repo the Dockerfile installs from, not GitHub releases, so the update signal lines up with the package source actually consumed by the build. The Homebrew-preview classifier reads the previously-published preview SHA out of the live jackin-preview.rb formula on github.com and uses that as the diff base, so a multi-commit push (rebase merge / linear merge / direct push) cannot hide a source change behind a docs-only HEAD commit. The classifier fails open on any transport failure or unreachable parent ref so a transient git diff failure cannot silently skip a publish.

The construct workflow's build-amd64 and build-arm64 jobs were near-identical 50-line clones; they are now a single matrix-strategy build job, and the publish-manifest job has dropped its unused setup-buildx-action + Bootstrap buildx pair (manifest assembly is a registry-side operation that does not need a local builder). The five-times-repeated push || (workflow_dispatch && main) boolean across that workflow is hoisted into a single is_publish output on the changes job, so downstream gates read needs.changes.outputs.is_publish instead of restating the expression. The deployed-docs lychee link-check sequence shared by deploy and check-deployed is now a composite action at .github/actions/check-deployed-docs/action.yml. The aggregator-job pattern shared by all three path-aware workflows is now a composite action at .github/actions/aggregate-needs/action.yml; each workflow ends in a *-required job that calls it, giving branch protection a single stable check name to require regardless of how many gated jobs sit beneath it. A new Renovate Validate workflow asserts that the mise deb registry URL still resolves and still lists the mise package, so a renamed upstream cannot silently re-introduce the version drift the customManagers were added to prevent.

What's deferred (follow-up PRs)

• Workflow consolidation (4 → 1 mega-workflow) — investigated but not landed. Estimated savings (~$0.72/month at current PR volume) do not justify decoupling preview release from Rust-only CI success: with consolidation, a docs lychee flake would block the Rust binary preview release. If billing pressure changes, the next step is a 2-workflow split (Rust standalone + assets combined) rather than full consolidation.
• Branch-protection rule configuration — protection on main currently has no required status checks (gh api repos/jackin-project/jackin/branches/main/protection → 404). The new *-required aggregator jobs are forward-looking infrastructure; a separate operator action will list them in the protection rule when ready.
• Harden the environment-sensitive Rust test that surfaced when this PR was first opened (separate change — this PR only prevents docs-only merges from triggering it).
• Schema-validate renovate.json in CI — the renovate-config-validator npm package's behavior on customManagers.managerFilePatterns varies across versions in a way that produced false negatives during this PR's CI run; the live Renovate bot validates the file on every dependency-dashboard cycle, so a real schema break still surfaces — just one day later instead of in CI.
• Share source-path globs between ci.yml's paths-filter and preview.yml's bash classifier (currently the Cargo.*, build.rs, src/**, docker/runtime/** lists are duplicated across the two workflows).

Verify locally

Checkout

Paste this first to bypass the tirith paste scanner for the rest of the session:

export TIRITH=0

Then paste the checkout block:

mkdir -p "$HOME/Projects/jackin-project/test"
cd "$HOME/Projects/jackin-project/test"

if [ ! -d jackin/.git ]; then
  git clone https://github.com/jackin-project/jackin.git
fi

cd jackin
mise trust
git fetch -f origin ci/path-aware-workflows:refs/remotes/origin/ci/path-aware-workflows
git checkout -B ci/path-aware-workflows refs/remotes/origin/ci/path-aware-workflows

Static Checks

for f in .github/workflows/ci.yml .github/workflows/docs.yml .github/workflows/construct.yml .github/workflows/preview.yml .github/workflows/renovate-validate.yml .github/actions/check-deployed-docs/action.yml .github/actions/aggregate-needs/action.yml; do
  yq . "$f" >/dev/null
done
jq . renovate.json >/dev/null
curl -fsSL https://mise.jdx.dev/deb/dists/stable/main/binary-amd64/Packages | rg '^Package: mise$' | head -1
curl -fsSL https://mise.jdx.dev/deb/dists/stable/main/binary-amd64/Packages | rg '^Version: 2026\.5\.3$' | head -1
curl -fsSL https://mise.jdx.dev/deb/dists/stable/main/binary-arm64/Packages | rg '^Version: 2026\.5\.3$' | head -1

These confirm each workflow YAML and the two composite-action manifests parse, the Renovate JSON parses, the deb registry URL the new MISE manager points at currently lists mise, and the bumped mise version is present in both apt indexes used by the construct image build. The end-to-end behavior (which workflows run for which event types and changed paths) is verified by GitHub Actions itself on this PR, since the workflows under review are the ones gating themselves.

[donbeave]

I found two path-gating regressions that look worth comparing against another review pass. Posting as non-blocking review feedback with repository-relative paths only.

• [P2] Don't skip CI for build script/runtime changes — .github/workflows/ci.yml, line 49

  When a PR only changes build.rs or docker/runtime/entrypoint.sh, this classifier leaves rust=false, so check and msrv are skipped even though both files affect the Rust build. build.rs contributes build-time version metadata, and src/derived_image.rs includes the runtime entrypoint at compile time. Add these compile-time inputs to the Rust path filter so those changes still get validated.

• [P2] Compare the whole pushed range for preview gating — .github/workflows/preview.yml, line 71

  For a rebase, linear merge, or direct push containing multiple commits, this checks only the last commit via parent...sha. A source change in an earlier commit followed by a docs-only final commit can skip the Homebrew preview update even though CI ran for the full push. Use the full pushed range from the triggering event, or another source of the push's changed files, instead of only the first parent of the head commit.

[donbeave]

Fresh review feedback for comparison by another agent. This is not an operator directive; please treat it as one reviewer's analysis to evaluate against the current PR intent.

Finding

• [P2] Docs path gate now skips repo-file link validation for source-only changes — .github/workflows/docs.yml, line 72

  The docs classifier only marks docs as changed for .github/workflows/docs.yml or docs/*. That means a PR that only renames or deletes a referenced repository file, for example src/runtime/launch.rs, skips docs-link-check entirely.

  This appears to regress the docs contract in docs/AGENTS.md: repository file links rendered by <RepoFile /> are supposed to be remapped to the PR checkout so file renames and deletions fail before merge. There are existing docs references to source files such as src/runtime/launch.rs, so a source-only rename/delete can now bypass the check that would catch stale docs links.

  Possible fix direction: separate the expensive docs build/deploy gate from the cheaper repo-file link contract. For example, keep full docs build/deploy docs-only, but run bun run check:repo-links or an equivalent source-link validation path when source, Docker, workflow, or root files that docs can reference change. A simpler but broader fix is to include those repo-file-linkable areas in the docs classifier.

Optional Improvement Ideas

These are alternatives to consider, not required changes.

• The repeated bash path classifiers could be replaced with dorny/paths-filter, pinned by SHA. It supports job-level boolean outputs, shared filter files, change-type filtering, and changed-file lists. This would make the workflow intent more readable and reduce the chance that the four classifiers drift from each other. It also preserves the current reason for job-level gating: native GitHub paths filters can leave required workflows pending when the whole workflow is skipped, while skipped jobs report success.

• If this PR keeps custom bash classifiers, consider centralizing the path filter lists in one checked-in file or composite action. That keeps the current dependency surface small while still making the Rust/docs/construct/preview path sets easier to review.

• For MISE_VERSION, Renovate's deb datasource may match the actual installation source better than github-releases, because the Dockerfile installs mise=${MISE_VERSION} from the mise apt repository. Renovate documents combining regex managers with the deb datasource for pinned apt package versions. This is optional; the current config validates, but the deb datasource would align the update signal with the package source used by the image build.

References for the optional ideas:

• GitHub docs on path filters and skipped required workflows: https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#onpushpull_requestpull_request_targetpathspaths-ignore
• GitHub docs on skipped jobs reporting success: https://docs.github.com/en/enterprise-cloud@latest/pull-requests/collaborating-with-pull-requests/collaborating-on-repositories-with-code-quality-features/about-status-checks
• dorny/paths-filter: https://github.com/dorny/paths-filter
• Renovate regex manager docs: https://docs.renovatebot.com/modules/manager/regex/
• Renovate deb datasource docs: https://docs.renovatebot.com/modules/datasource/deb/