From 1c526d36e3d714d3f8570bc7b858f734c8df3378 Mon Sep 17 00:00:00 2001
From: Rob Bos <raj.bos@gmail.com>
Date: Sat, 18 Apr 2026 12:05:18 +0200
Subject: [PATCH] ci: skip mutation tests on PRs with no TS source changes

Add a check-code-changes job that diffs the PR against the base branch
and sets an output flag when .ts files under vscode-extension/src/ or
vscode-extension/test/, or stryker.config.mjs, are modified.

The mutation-testing job now depends on check-code-changes and only
runs when vscode_src_changed == 'true', skipping it for docs, JSON
data files, workflows, and other non-code changes.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/ci.yml | 31 +++++++++++++++++++++++++++++--
 1 file changed, 29 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 64980051..2e05a47d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -106,10 +106,37 @@ jobs:
           vscode-extension/out/
         retention-days: 7
         
-  mutation-testing:
+  check-code-changes:
     runs-on: ubuntu-latest
-    needs: build
     if: github.event_name == 'pull_request'
+    outputs:
+      vscode_src_changed: ${{ steps.detect.outputs.changed }}
+    steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
+      with:
+        egress-policy: audit
+
+    - name: Checkout code
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        fetch-depth: 0
+
+    - name: Detect vscode-extension source changes
+      id: detect
+      run: |
+        changed=$(git diff --name-only origin/${{ github.base_ref }}...HEAD \
+          | grep -cE '^vscode-extension/src/.*\.ts$|^vscode-extension/test/.*\.ts$|^vscode-extension/stryker\.config\.mjs$' || true)
+        if [ "$changed" -gt 0 ]; then
+          echo "changed=true" >> "$GITHUB_OUTPUT"
+        else
+          echo "changed=false" >> "$GITHUB_OUTPUT"
+        fi
+
+  mutation-testing:
+    runs-on: ubuntu-latest
+    needs: [build, check-code-changes]
+    if: github.event_name == 'pull_request' && needs.check-code-changes.outputs.vscode_src_changed == 'true'
     # Informational — does not block the PR. A failing mutation score
     # is visible in the artifact but does not block merging during rollout.
     continue-on-error: true