ci: skip heavy CI for non-impacting changes#194
Conversation
posthog-php Compliance ReportDate: 2026-07-01 13:16:36 UTC ✅ All Tests Passed!45/45 tests passed Capture Tests✅ 29/29 tests passed View Details
Feature_Flags Tests✅ 16/16 tests passed View Details
|
|
Reviews (1): Last reviewed commit: "ci: skip heavy CI for non-impacting chan..." | Re-trigger Greptile |
| if [[ "${{ github.event_name }}" != "pull_request" ]]; then | ||
| write_outputs | ||
| summarize "Non-pull-request event; running heavy CI." | ||
| exit 0 | ||
| fi | ||
|
|
||
| if ! changed_files=$(gh api --paginate "repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/files" --jq '.[].filename'); then |
There was a problem hiding this comment.
GitHub context expressions expanded inside shell script
Lines 69 and 75 embed ${{ github.event_name }}, ${{ github.repository }}, and ${{ github.event.pull_request.number }} directly in the run: script body. GitHub Actions string-substitutes these before the shell sees the script, which can introduce script injection if the values ever contain shell metacharacters. $GITHUB_EVENT_NAME and $GITHUB_REPOSITORY are already set by the runner as environment variables; github.event.pull_request.number can be passed via the env: block. Prefer those over inline expressions inside shell code.
| summarize() { | ||
| { | ||
| echo "### CI changed-file classification" | ||
| echo "" | ||
| echo "skip_heavy: \`${skip_heavy}\`" | ||
| echo "run_public_api: \`${run_public_api}\`" | ||
| echo "run_coverage: \`${run_coverage}\`" | ||
| echo "" | ||
| echo "$1" | ||
| } >> "$GITHUB_STEP_SUMMARY" | ||
| } |
There was a problem hiding this comment.
Step-summary header duplicated between
summarize() and the main success block
The four echo lines that write the heading and three output values (skip_heavy, run_public_api, run_coverage) appear verbatim inside summarize() (lines 58–65) and again in the main success block (lines 151–155). Per the team's OnceAndOnlyOnce rule, the shared header should be extracted — e.g. a print_header() helper called by both paths, or the main block extended to call summarize with the detailed body as its argument.
Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
|
|
||
| is_non_impacting_file() { | ||
| case "$1" in | ||
| *.md|docs/*|.changeset/*.md|.github/ISSUE_TEMPLATE/*|.github/pull_request_template.md|.github/workflows/release.yml|.github/workflows/stale.yaml|.github/workflows/lint-pr.yml|.github/workflows/call-flags-project-board.yml|package.json|pnpm-lock.yaml|pnpm-workspace.yaml|.npmrc) |
There was a problem hiding this comment.
package.json, pnpm-lock.yaml, pnpm-workspace.yaml, and .npmrc are JavaScript/npm files that don't belong in a PHP-only SDK repo. Listing them here is dead code today, but if any were ever added for tooling purposes, CI would silently treat them as non-impacting and skip all PHP checks. Consider removing them to avoid that silent-skip risk.
| *.md|docs/*|.changeset/*.md|.github/ISSUE_TEMPLATE/*|.github/pull_request_template.md|.github/workflows/release.yml|.github/workflows/stale.yaml|.github/workflows/lint-pr.yml|.github/workflows/call-flags-project-board.yml|package.json|pnpm-lock.yaml|pnpm-workspace.yaml|.npmrc) | |
| *.md|docs/*|.changeset/*.md|.github/ISSUE_TEMPLATE/*|.github/pull_request_template.md|.github/workflows/release.yml|.github/workflows/stale.yaml|.github/workflows/lint-pr.yml|.github/workflows/call-flags-project-board.yml) |
Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
f24d926 to
b20ab97
Compare
|
Closing this for now — I'll investigate other options. We don't want hardcoded paths this way. |
Summary
filenameandprevious_filenameGeneric safe set
Heavy CI is skipped only for
pull_requestevents where every reportedfilenameandprevious_filenameis one of:*.mdfile anywheredocs/*.github/ISSUE_TEMPLATE/*or.github/PULL_REQUEST_TEMPLATE/*.github/pull_request_template.md.github/CODEOWNERSorCODEOWNERS.github/dependabot.yml.github/workflows(release,publish,stale,lint-pr,call-flags-project-board,changeset-hygiene,dependabot-changeset,validate-versioning,new-pr,generated-files-notice,posthog-upgrade,posthog-watcher-*) with.ymlor.yamlEverything else, including source/test changes, package or lock files, build config, current CI workflows, unknown files, pushes, API failures, and empty file lists, runs full CI.
Validation
ruby -e 'require "yaml"; ARGV.each { |f| YAML.load_file(f); puts "YAML OK #{f}" }' .github/workflows/php.yml .github/workflows/sdk-compliance.ymlgit diff --checkbash -nNotes
uses:with an in-job no-op step; the check name remainsPostHog SDK compliance tests.