Skipped CI build and E2E jobs for non-code changes

[ErisDS]

Summary

• Narrowed the shared paths-filter anchor from .github/** to only CI-relevant paths (.github/workflows/, .github/actions/, .github/scripts/**), so changes to renovate config, CODEOWNERS, codecov.yml, issue templates, and other non-CI metadata no longer trigger all test suites
• Expanded the any-code filter to exclude docs, IDE config, AI agent config, and other non-code files
• Wired the changed_any_code gate into job_build_artifacts, job_build_e2e_public_apps, job_build_e2e_image, and job_e2e_tests - these previously ran unconditionally on every non-tag PR

What this skips for non-code PRs

The entire Docker build + E2E chain (~90 runner-minutes across 8 shards + 3 build jobs), plus lint and unit tests. For a config-only PR, CI now runs just Setup and the gate job.

What is safe

• job_required_tests uses if: always() and treats skipped dependencies as passing
• trigger_cd and publish_ghost already check needs.job_build_artifacts.result == success, so they skip when build is skipped
• Test files live inside ghost/, apps/, and e2e/, so they still trigger any-code and their respective package filters

Test plan

• Verify this PRs own CI run passes (it touches .github/workflows/ci.yml so all suites should still trigger via shared)
• Verify a non-code PR (e.g. renovate.json5 change, docs update) skips build + E2E jobs
• Verify a code PR still runs the full pipeline including E2E

[coderabbitai]

Walkthrough

The CI workflow configuration was modified to apply more granular change detection logic. The workflow now restricts CI-related file changes to specific subdirectories under .github/ rather than treating all .github/** files as triggers. The any-code filter was expanded to exclude additional repository metadata and configuration files (renovate configuration, CODEOWNERS, codecov config, funding templates, root dotfiles, editorconfig, and sonar configuration). The job_build_artifacts job is now conditionally gated on detected code changes, and E2E-related jobs now require both code changes and non-tag conditions to execute, replacing the previous tag-only condition.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: skipping CI build and E2E jobs for non-code changes, which matches the core objective and changeset.
Description check	✅ Passed	The description is directly related to the changeset, providing detailed context about narrowed paths filters, expanded any-code filters, and job gating logic.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/ci-skip-non-code-changes

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.46%. Comparing base (191095a) to head (5efb56c).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #27311   +/-   ##
=======================================
  Coverage   73.46%   73.46%           
=======================================
  Files        1545     1545           
  Lines      123686   123686           
  Branches    14961    14962    +1     
=======================================
  Hits        90870    90870           
+ Misses      31819    31797   -22     
- Partials      997     1019   +22     

Flag	Coverage Δ
admin-tests	54.39% <ø> (ø)
e2e-tests	73.46% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yml:
- Line 831: Update the conditional that gates job_build_artifacts so it also
runs for tag pushes/releases; currently it uses the exact condition
"needs.job_setup.outputs.changed_any_code == 'true'". Replace that single-only
check with a compound condition that keeps the existing changed_any_code check
OR allows execution when the workflow ref is a tag (github.ref starts with
"refs/tags/") or when the event indicates a release, ensuring tag pushes will
trigger job_build_artifacts and satisfy downstream requirements like
publish_ghost.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d21fdb2c-0913-4a05-bf5a-24994bee3d63

📥 Commits

Reviewing files that changed from the base of the PR and between 191095a and 5efb56c.

📒 Files selected for processing (1)

• .github/workflows/ci.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

For GitHub Actions pushevents triggered by creating a tag, what values are typically present forgithub.event.commitsandhead_commit, and can changed-file detection resolve to no changes for such events?

💡 Result:

For a GitHub Actions push event whose ref is a newly-created tag (e.g. refs/tags/v1.2.3):

• github.event.commits: commonly an empty array ([]), because no commits were “pushed” in the sense of being part of the compare between before and after—the ref moved/was created, but it typically points at an existing commit. An example tag-push payload shows before as all-zeroes, created: true, and commits: []. [3] (See also the definition of commits as “pushed commits” in the push payload docs. [1])

• github.event.head_commit: present and populated with the commit object for the commit the tag points to (i.e., the payload’s after SHA). GitHub explicitly changed tag-creation push payloads to always include a consistent head_commit for tag creation. [2]

• Changed-file detection can be “no changes”: yes. If your workflow/action determines changed files from github.event.commits (or from per-commit file lists), a tag-creation push can legitimately yield zero changed files because commits may be empty. [3] Also note that in the Actions push payload, commit objects don’t include added/removed/modified file lists anyway, so file-change detection often has to fall back to Git history/API—and for a tag creation that can still resolve to “no changes” depending on what you compare against. [4]

Sources:
[1] GitHub Docs – push webhook payload fields (commits, head_commit) https://docs.github.com/en/enterprise-cloud@latest/webhooks/webhook-events-and-payloads
[2] GitHub Changelog – consistent head_commit on tag creation (push payload) https://github.blog/changelog/2021-10-01-the-push-webhook-payload-provides-a-consistent-head_commit-on-tag-creation/
[3] Example tag-push context showing commits: [] and populated head_commit https://blog.mikepenz.dev/a/github-actions-context/
[4] GitHub Docs – Actions push event notes (no added/removed/modified in commit objects) https://docs.github.com/en/actions/reference/events-that-trigger-workflows

---

🏁 Script executed:

# First, let me locate and inspect the workflow file
find . -name "ci.yml" -path "*/.github/workflows/*" -type f

Repository: TryGhost/Ghost

Length of output: 84

---

🏁 Script executed:

# Get an overview of the workflow file structure
wc -l .github/workflows/ci.yml

Repository: TryGhost/Ghost

Length of output: 87

---

🏁 Script executed:

# Search for job_setup and its outputs
rg -n "job_setup" .github/workflows/ci.yml -A 3 -B 3 | head -100

Repository: TryGhost/Ghost

Length of output: 3672

---

🏁 Script executed:

# Search for changed_any_code definition
rg -n "changed_any_code" .github/workflows/ci.yml -B 5 -A 2

Repository: TryGhost/Ghost

Length of output: 2481

---

🏁 Script executed:

# Search for job_build_artifacts definition and its dependencies
rg -n "job_build_artifacts" .github/workflows/ci.yml -B 2 -A 10

Repository: TryGhost/Ghost

Length of output: 6163

---

🏁 Script executed:

# Look for downstream jobs that depend on job_build_artifacts
rg -n "needs\.job_build_artifacts" .github/workflows/ci.yml -B 2 -A 2

Repository: TryGhost/Ghost

Length of output: 2592

---

🏁 Script executed:

# Search for the "changed" step in job_setup that produces the any-code output
rg -n "id: changed" .github/workflows/ci.yml -A 20 | head -60

Repository: TryGhost/Ghost

Length of output: 779

---

🏁 Script executed:

# Also check if there are any tag-specific handling in job_setup
rg -n "is_tag" .github/workflows/ci.yml -B 3 -A 1 | head -80

Repository: TryGhost/Ghost

Length of output: 2964

---

🏁 Script executed:

# Check the full job_setup to understand its structure
sed -n '37,230p' .github/workflows/ci.yml

Repository: TryGhost/Ghost

Length of output: 7638

---

Ensure artifact builds run on release tags to prevent blocking downstream tag-release jobs.

job_build_artifacts is currently gated only by changed_any_code. For tag pushes, GitHub Actions provides an empty commits array (since no commits are "pushed"—the tag points to an existing commit), causing the paths-filter action to detect zero changed files and skip the job. This breaks downstream tag-release jobs like publish_ghost that explicitly require job_build_artifacts.result == 'success'.

🔧 Proposed fix

-    if: needs.job_setup.outputs.changed_any_code == 'true'
+    if: needs.job_setup.outputs.is_tag == 'true' || needs.job_setup.outputs.changed_any_code == 'true'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml at line 831, Update the conditional that gates
job_build_artifacts so it also runs for tag pushes/releases; currently it uses
the exact condition "needs.job_setup.outputs.changed_any_code == 'true'".
Replace that single-only check with a compound condition that keeps the existing
changed_any_code check OR allows execution when the workflow ref is a tag
(github.ref starts with "refs/tags/") or when the event indicates a release,
ensuring tag pushes will trigger job_build_artifacts and satisfy downstream
requirements like publish_ghost.

[ErisDS]

Closing in favour of the approach in #27297, which will hopefully shake this out better