fix(ci): eliminate redundant CI workflow executions

mchmarny · mchmarny · commit 3c9f6ec564dd · 2026-04-25T04:28:39.000-07:00
Merge Gate and On Push Qualification both called qualification.yaml on
every push and PR, doubling test/lint/e2e/scan jobs. Standalone CodeQL,
vuln-scan, actionlint, and verify-licenses workflows further tripled
some checks. This consolidation removes ~45% of redundant runner usage:

- Remove push trigger from Merge Gate (PR-only gate; strict status
  checks guarantee merge commit matches PR preview)
- Remove PR trigger from On Push Qualification (Merge Gate covers PRs)
- Remove inline vuln-scan from Merge Gate (qualification.yaml already
  includes security-scan)
- Delete standalone actionlint.yaml and verify-licenses.yaml (fully
  subsumed by Merge Gate)
- Strip push/PR triggers from codeql.yaml and vuln-scan.yaml (keep
  schedule-only backstops)
- Re-point on-push-comment.yaml to trigger from Merge Gate
- Fix unquoted $GITHUB_OUTPUT references (shellcheck SC2086)
diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
@@ -15,30 +15,13 @@
 name: "CodeQL"
 
 on:
-  push:
-    branches:
-      - main
-    paths-ignore:
-      - '**.md'
-      - 'docs/**'
-      - 'LICENSE'
-  pull_request:
-    branches:
-      - main
-    paths-ignore:
-      - '**.md'
-      - 'docs/**'
-      - 'LICENSE'
   schedule:
     - cron: '0 5 * * 1'
+  workflow_dispatch: {}
 
 permissions:
   contents: read
 
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
 jobs:
   analyze:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/merge-gate.yaml b/.github/workflows/merge-gate.yaml
@@ -27,9 +27,6 @@
 name: Merge Gate
 
 on:
-  push:
-    branches:
-      - main
   pull_request:
     branches:
       - main
@@ -40,7 +37,7 @@ permissions:
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  cancel-in-progress: true
 
 jobs:
 
@@ -159,36 +156,6 @@ jobs:
     steps:
       - run: echo "Docs/non-code change — CodeQL analysis not required"
 
-  # ---------------------------------------------------------------------------
-  # Vulnerability scan (grype)
-  # ---------------------------------------------------------------------------
-
-  vuln-scan:
-    needs: [check-paths]
-    if: needs.check-paths.outputs.code == 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          persist-credentials: false
-      - uses: ./.github/actions/security-scan
-        with:
-          severity-cutoff: 'medium'
-          category: 'anchore-fs'
-
-  vuln-scan-skip:
-    needs: [check-paths]
-    if: needs.check-paths.outputs.code != 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 1
-    steps:
-      - run: echo "Docs/non-code change — vulnerability scan not required"
-
   # ---------------------------------------------------------------------------
   # Malware scan (ClamAV)
   # ---------------------------------------------------------------------------
@@ -307,8 +274,6 @@ jobs:
       - tests-skip
       - analyze
       - analyze-skip
-      - vuln-scan
-      - vuln-scan-skip
       - malware-scan
       - malware-scan-skip
       - actionlint
diff --git a/.github/workflows/on-push-comment.yaml b/.github/workflows/on-push-comment.yaml
@@ -20,15 +20,15 @@ name: Post PR Comment
 
 on:
   workflow_run:
-    workflows: ["On Push Qualification"]
+    workflows: ["Merge Gate"]
     types:
       - completed
 
 permissions:
   contents: read
 
 jobs:
-  # COUPLING: This workflow depends on "On Push Qualification" producing these artifacts:
+  # COUPLING: This workflow depends on "Merge Gate" producing these artifacts (via qualification.yaml):
   #   - coverage-pr (coverage.out from PR build)
   #   - coverage-comment-data (JSON: coverage, threshold, pass, color, pr_number)
   #   - coverage-baseline (coverage.out from last successful main build)
@@ -107,16 +107,16 @@ jobs:
               --repo ${{ github.repository }} \
               --name coverage-baseline \
               --dir /tmp/baseline-coverage 2>/dev/null; then
-              echo "baseline_found=true" >> $GITHUB_OUTPUT
+              echo "baseline_found=true" >> "$GITHUB_OUTPUT"
               echo "✅ Baseline coverage downloaded"
             else
-              echo "baseline_found=false" >> $GITHUB_OUTPUT
+              echo "baseline_found=false" >> "$GITHUB_OUTPUT"
               echo "⚠️ Failed to download baseline (first run?)"
               # Create empty baseline
               echo "mode: set" > /tmp/baseline-coverage/coverage.out
             fi
           else
-            echo "baseline_found=false" >> $GITHUB_OUTPUT
+            echo "baseline_found=false" >> "$GITHUB_OUTPUT"
             echo "⚠️ No successful baseline run found"
             echo "mode: set" > /tmp/baseline-coverage/coverage.out
           fi
@@ -169,18 +169,18 @@ jobs:
             /tmp/baseline-coverage/coverage.out \
             /tmp/pr-coverage/coverage.out \
             .github/outputs/all_modified_files.json > delta-report.md 2> delta-error.log; then
-            echo "delta_generated=true" >> $GITHUB_OUTPUT
+            echo "delta_generated=true" >> "$GITHUB_OUTPUT"
           else
-            echo "delta_generated=false" >> $GITHUB_OUTPUT
+            echo "delta_generated=false" >> "$GITHUB_OUTPUT"
             echo "⚠️ Delta generation failed:"
             cat delta-error.log || true
           fi
 
           # Check if report shows no change (to reduce noise)
           if grep -q "will \*\*not change\*\* overall coverage" delta-report.md 2>/dev/null; then
-            echo "no_change=true" >> $GITHUB_OUTPUT
+            echo "no_change=true" >> "$GITHUB_OUTPUT"
           else
-            echo "no_change=false" >> $GITHUB_OUTPUT
+            echo "no_change=false" >> "$GITHUB_OUTPUT"
           fi
 
       - name: Post PR Comment
diff --git a/.github/workflows/on-push.yaml b/.github/workflows/on-push.yaml
@@ -23,14 +23,6 @@ on:
       - 'docs/**'
       - 'site/**'
       - 'LICENSE'
-  pull_request:
-    branches:
-      - main
-    paths-ignore:
-      - '**.md'
-      - 'docs/**'
-      - 'site/**'
-      - 'LICENSE'
   workflow_dispatch: {}  # Allow manual runs
 
 permissions:
@@ -45,10 +37,10 @@ env:
   EXPECTED_PLATFORMS: "linux/amd64 linux/arm64"
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  # Cancel in-progress PR runs but not main pushes — every main merge must
-  # complete to produce its immutable sha-<commit> image tag.
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
+  # Never cancel main pushes — every merge must complete to produce its
+  # immutable sha-<commit> image tag.
+  cancel-in-progress: false
 
 jobs:
 
diff --git a/.github/workflows/verify-licenses.yaml b/.github/workflows/verify-licenses.yaml
diff --git a/.github/workflows/vuln-scan.yaml b/.github/workflows/vuln-scan.yaml
@@ -18,26 +18,10 @@ on:
   schedule:
     - cron: '30 7 * * *'
   workflow_dispatch: {}  # allow manual runs for testing
-  pull_request:
-    branches: [main]
-    paths-ignore:
-      - '**.md'
-      - 'docs/**'
-      - 'LICENSE'
-  push:
-    branches: [main]  # scan main after merges
-    paths-ignore:
-      - '**.md'
-      - 'docs/**'
-      - 'LICENSE'
 
 permissions:
   contents: read
 
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref }}
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-
 jobs:
   vuln-scan:
     runs-on: ubuntu-latest
