ci: optimize, secure, and modernize CI pipeline (#4711)

2026-03-27 18:21:58 -04:00 · 2026-03-04 11:34:46 -06:00
parent bd9c730c25
commit 02e01bb331
4 changed files with 58 additions and 80 deletions
--- a/.github/workflows/pull-request.yml
+++ b/.github/workflows/pull-request.yml
@@ -1,72 +1,66 @@
+name: Pull Request CI
+
 on:
  pull_request:
-    branches:
-      - main
-  workflow_dispatch:
+    branches: [ main, develop ]
+    paths-ignore:
+      - '**.md'
+      - 'docs/**'
+      - '.gitignore'

 concurrency:
-  group: build-pr-${{ github.ref }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

 jobs:
+  # 1. CHANGE DETECTION: Prevents unnecessary builds
  check-changes:
    if: github.repository == 'meshtastic/Meshtastic-Android' && !( github.head_ref == 'scheduled-updates' || github.head_ref == 'l10n_main' )
    runs-on: ubuntu-latest
    outputs:
-      code_changed: ${{ steps.filter.outputs.code }}
+      android: ${{ steps.filter.outputs.android }}
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
      - uses: dorny/paths-filter@v3
        id: filter
        with:
          filters: |
-            code:
-              - '**/*.kt'
-              - '**/*.java'
-              - '**/*.xml'
-              - '**/*.kts'
-              - '**/*.properties'
-              - 'gradle/**'
-              - 'gradlew'
-              - 'gradlew.bat'
-              - '**/src/**'
-              - '.github/workflows/**'
+            android:
+              - 'app/**'
+              - 'core/**'
+              - 'feature/**'
+              - 'build-logic/**'
+              - 'build.gradle.kts'
+              - 'gradle.properties'

-  android-check:
+  # 2. VALIDATION & BUILD: Delegate to reusable-check.yml
+  # We disable instrumented tests for PRs to keep feedback fast (< 10 mins).
+  validate-and-build:
    needs: check-changes
-    if: needs.check-changes.outputs.code_changed == 'true'
+    if: needs.check-changes.outputs.android == 'true'
    uses: ./.github/workflows/reusable-check.yml
    with:
-      api_levels: '[35]' # Only test latest API on PRs for speed
-      flavors: '["google","fdroid"]'
+      run_lint: true
+      run_unit_tests: true
+      run_instrumented_tests: false
+      api_levels: '[35]'
+      upload_artifacts: true
    secrets: inherit

-  skip-notice:
-    needs: check-changes
-    if: needs.check-changes.outputs.code_changed != 'true'
-    runs-on: ubuntu-latest
-    steps:
-      - name: Skip CI for non-code changes
-        run: echo "Skipping CI - no code changes detected (docs/config only)"
-
+  # 3. WORKFLOW STATUS: Ensures required checks are satisfied
  check-workflow-status:
    name: Check Workflow Status
    runs-on: ubuntu-latest
-    needs:
-      - check-changes
-      - android-check
+    needs: [check-changes, validate-and-build]
    if: always()
    steps:
      - name: Check Workflow Status
        run: |
-          if [[ "${{ needs.check-changes.outputs.code_changed }}" != "true" ]]; then
-            echo "No code changes - CI jobs skipped as expected"
-            exit 0
-          fi
-
-          if [[ "${{ needs.android-check.result }}" == "failure" || "${{ needs.android-check.result }}" == "cancelled" ]]; then
+          # If changes were detected but build failed, fail the status check
+          if [[ "${{ needs.check-changes.outputs.android }}" == "true" && ("${{ needs.validate-and-build.result }}" == "failure" || "${{ needs.validate-and-build.result }}" == "cancelled") ]]; then
            echo "::error::Android Check failed"
            exit 1
          fi
-
-          echo "All jobs passed successfully"
+          
+          # If no changes were detected, this still succeeds to satisfy required status check
+          echo "Workflow status satisfied."