Guard master docs-only pushes and ensure full CI runs (#2042)

## Summary

This PR adds a safety mechanism to prevent docs-only commits on master
from showing a misleading green checkmark when the previous commit has
failing or incomplete CI workflows. Docs-only commits can still be
pushed and will skip heavy CI jobs, but the guard action will fail if
the previous commit wasn't fully validated.

### Key Features

- **Reusable GitHub Action**
(`.github/actions/ensure-master-docs-safety`) that validates previous
master commit status before allowing docs-only CI skips to show green
- **Applied to all workflows**: Change detection integrated into all 11
workflow files
- **Smart docs-only detection**: The `ci-changes-detector` script now
always emits outputs for docs-only cases
- **Optimized performance**: Early-exit pagination, efficient API usage,
proper deduplication

### How It Works

1. **On docs-only master push**: Heavy CI jobs are skipped, but guard
action checks if previous commit's workflows are complete and passing
2. **If previous commit has failures or in-progress runs**: Guard action
fails with actionable error message (commit is still pushed, but doesn't
show green)
3. **If previous commit is clean**: Guard action passes, docs-only
commit shows green checkmark
4. **On code changes**: Always run full CI suite regardless of previous
commit status

### The Problem This Solves

**Before**: Pushing a docs-only commit to master would skip all CI and
show a green checkmark, even if the previous commit had failing tests.
This created a false sense of security.

**After**: Docs-only commits still skip heavy CI jobs (saving
resources), but the guard action fails if the previous commit wasn't
validated, preventing a misleading green checkmark.

### Improvements from Code Review

**GitHub Action enhancements**:
- ✅ Clarified API rate limit constraints in 7-day window documentation
- ✅ Documented run_number tiebreaker behavior for out-of-order reruns
- ✅ Explained why 'cancelled' workflows block docs-only skips
- ✅ Improved deduplication using `run_number` instead of `created_at`
for accurate re-run handling
- ✅ Added clickable markdown links to failing workflows in error
messages
- ✅ Comprehensive documentation for 7-day lookback window rationale
- ✅ Explicit handling of 'skipped' and 'neutral' workflow conclusions

**Script improvements**:
- ✅ Eliminated duplication in `ci-changes-detector` by using single
CI_FLAGS array for both GITHUB_OUTPUT and JSON output
- ✅ Reduced maintenance burden and prevented potential inconsistencies

**Workflow improvements**:
- ✅ Clear inline comments explaining conditional logic across all
workflows
- ✅ Consistent pattern: "Skip only if: master push AND docs-only
changes"

**Code quality**:
- ✅ Improved knip comment clarity
- ✅ All changes verified with RuboCop and Prettier

## Testing

### Automated Tests
- ✅ RuboCop: 149 files inspected, no offenses detected
- ✅ Prettier: All files formatted correctly
- ✅ `ci-changes-detector` script tested locally with JSON output

### Manual Testing Scenarios
- [ ] Docs-only commit with passing previous commit → should skip CI and
show green
- [ ] Docs-only commit with failing previous commit → should skip heavy
jobs but guard fails (no green)
- [ ] Docs-only commit while previous workflows running → guard should
fail
- [ ] Initial commit handling (github.event.before == '0000...')
- [ ] Old commit > 7 days → should allow skip with informative message
- [ ] Workflow re-runs → should use latest run_number
- [ ] Skipped/neutral workflows → should not block
- [ ] Code changes to master → full CI should always run

## Impact

**For developers**:
- Faster docs updates when master is clean (heavy CI jobs skipped)
- Clear error messages with links when docs-only skip would hide
failures
- Prevents misleading green checkmarks on broken master

**For CI/CD**:
- Reduced CI costs for docs-only commits (when safe)
- Ensures master branch status accurately reflects code validation
- Prevents docs-only commits from hiding failing tests

## Example Scenarios

### Scenario 1: Safe docs-only commit
```
Commit A (code changes) → All CI passes ✅
Commit B (docs only) → Heavy jobs skipped, guard passes ✅ (green checkmark)
```

### Scenario 2: Unsafe docs-only commit (prevented)
```
Commit A (code changes) → Tests fail ❌
Commit B (docs only) → Heavy jobs skipped, guard FAILS ❌ (no misleading green)
```
Developer must fix Commit A's failures before Commit B will show green.

### Scenario 3: Code change (always full CI)
```
Commit A (code changes) → Tests fail ❌
Commit B (code changes) → Full CI runs (guard not involved)
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Safety guard for docs-only pushes to master that prevents misleading
green checkmarks when previous commit has failures
* Docs-only commits can skip heavy CI jobs when previous commit is
validated
* Optimized API pagination with early exit strategy for improved
performance
* Added clickable links to failing workflows in error messages for
better developer experience
* CI now exposes docs-only signals so heavy jobs (tests, builds,
linting) can be skipped safely
* **Bug Fixes**
* Improved workflow deduplication logic using run_number instead of
created_at
  * Eliminated duplication in ci-changes-detector script
* **Documentation**
* Added comprehensive comments explaining 7-day lookback window
rationale and API rate limits
  * Documented handling of 'skipped' and 'neutral' workflow conclusions
* Explained run_number tiebreaker behavior and 'cancelled' workflow
treatment
* Clear inline comments explaining complex conditional logic in
workflows
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Claude <[email protected]>

Author: justin808

.github/actions/ensure-master-docs-safety/action.yml

@@ -0,0 +1,133 @@
+name: Ensure master docs-only skips are safe
+description: Fails if the previous master commit still has failing workflow runs when current push is docs-only
+inputs:
+  docs-only:
+    description: 'String output from ci-changes-detector ("true" or "false")'
+    required: true
+  previous-sha:
+    description: 'SHA of the previous commit on master (github.event.before)'
+    required: true
+runs:
+  using: composite
+  steps:
+    - name: Check previous master commit status
+      if: ${{ inputs.docs-only == 'true' && inputs.previous-sha != '' && inputs.previous-sha != '0000000000000000000000000000000000000000' }}
+      uses: actions/github-script@v7
+      env:
+        PREVIOUS_SHA: ${{ inputs.previous-sha }}
+      with:
+        script: |
+          const previousSha = process.env.PREVIOUS_SHA;
+
+          // Query workflow runs from the last 7 days to avoid excessive API calls.
+          // Why 7 days? This balances API efficiency with practical needs:
+          // - Most master commits trigger CI within hours, not days
+          // - Commits older than 7 days are likely stale; better to allow the docs-only skip anyway
+          // - Reduces pagination load on high-velocity repos
+          // - GitHub API rate limits (1000 req/hr for Actions) make unbounded searches risky
+          // For commits outside this window, we skip the check and allow the docs-only skip.
+          const createdAfter = new Date(Date.now() - 1000 * 60 * 60 * 24 * 7).toISOString();
+
+          // Optimize pagination: use lower per_page and collect only what we need
+          const workflowRuns = [];
+          let foundAllRelevant = false;
+
+          for await (const response of github.paginate.iterator(
+            github.rest.actions.listWorkflowRunsForRepo,
+            {
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              branch: 'master',
+              event: 'push',
+              per_page: 30,
+              created: `>${createdAfter}`,
+              sort: 'created',
+              direction: 'desc'
+            }
+          )) {
+            const pageRuns = response.data;
+            const relevantInPage = pageRuns.filter((run) => run.head_sha === previousSha);
+
+            if (relevantInPage.length > 0) {
+              workflowRuns.push(...relevantInPage);
+            }
+
+            // Early exit: if we found relevant runs and now seeing different SHAs,
+            // we've likely collected all runs for the previous commit
+            if (workflowRuns.length > 0 && relevantInPage.length === 0) {
+              foundAllRelevant = true;
+              break;
+            }
+          }
+
+          if (workflowRuns.length === 0) {
+            core.info(`No workflow runs found for ${previousSha} in the last 7 days. Allowing docs-only skip.`);
+            return;
+          }
+
+          // Deduplicate workflow runs by keeping only the latest run for each workflow_id.
+          // This handles cases where workflows are re-run manually.
+          // Use run_number as tiebreaker since created_at might be identical for rapid reruns.
+          // Note: If workflows are manually re-run out of order, we use the highest run_number
+          // which represents the most recent attempt, regardless of trigger order.
+          const latestByWorkflow = new Map();
+          for (const run of workflowRuns) {
+            const existing = latestByWorkflow.get(run.workflow_id);
+            if (!existing || run.run_number > existing.run_number) {
+              latestByWorkflow.set(run.workflow_id, run);
+            }
+          }
+
+          // Check for workflows that are still running
+          // We require all workflows to complete before allowing docs-only skip
+          // This prevents skipping CI when the previous commit hasn't been fully validated
+          const incompleteRuns = Array.from(latestByWorkflow.values()).filter(
+            (run) => run.status !== 'completed'
+          );
+
+          if (incompleteRuns.length > 0) {
+            const details = incompleteRuns
+              .map((run) => `- [${run.name} #${run.run_number}](${run.html_url}) is still ${run.status}`)
+              .join('\n');
+            core.setFailed(
+              [
+                `Cannot skip CI for docs-only commit because previous master commit ${previousSha} still has running workflows:`,
+                details,
+                '',
+                'Wait for these workflows to complete before pushing docs-only changes.'
+              ].join('\n')
+            );
+            return;
+          }
+
+          // Check for workflows that failed on the previous commit.
+          // We treat these conclusions as failures:
+          // - 'failure': Obvious failure case
+          // - 'timed_out': Infrastructure or performance issue that should be investigated
+          // - 'cancelled': Might indicate timeout, CI infrastructure issues, or manual intervention needed
+          //                Being conservative here prevents a green checkmark when the previous commit
+          //                might have real issues that weren't fully validated
+          // - 'action_required': Requires manual intervention
+          // We treat 'skipped' and 'neutral' as non-blocking since they indicate
+          // intentional skips or informational-only workflows.
+          const failingRuns = Array.from(latestByWorkflow.values()).filter((run) => {
+            return ['failure', 'timed_out', 'cancelled', 'action_required'].includes(run.conclusion);
+          });
+
+          if (failingRuns.length === 0) {
+            core.info(`Previous master commit ${previousSha} completed without failures. Docs-only skip allowed.`);
+            return;
+          }
+
+          const details = failingRuns
+            .map((run) => `- [${run.name} #${run.run_number}](${run.html_url}) concluded ${run.conclusion}`)
+            .join('\n');
+
+          core.setFailed(
+            [
+              `Cannot skip CI for docs-only commit because previous master commit ${previousSha} still has failing workflows:`,
+              details,
+              '',
+              'Fix these failures before pushing docs-only changes, or push non-docs changes to trigger full CI.'
+            ].join('\n')
+          );

.github/workflows/detect-changes.yml

@@ -25,6 +25,9 @@ on:
 jobs:
   detect:
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      actions: read
     outputs:
       docs_only: ${{ steps.changes.outputs.docs_only }}
       run_lint: ${{ steps.changes.outputs.run_lint }}
@@ -41,17 +44,11 @@ jobs:
       - name: Detect changes
         id: changes
         run: |
-          # For master branch, always run everything
-          if [ "${{ github.ref }}" = "refs/heads/master" ]; then
-            echo "docs_only=false" >> "$GITHUB_OUTPUT"
-            echo "run_lint=true" >> "$GITHUB_OUTPUT"
-            echo "run_ruby_tests=true" >> "$GITHUB_OUTPUT"
-            echo "run_js_tests=true" >> "$GITHUB_OUTPUT"
-            echo "run_dummy_tests=true" >> "$GITHUB_OUTPUT"
-            echo "run_generators=true" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          # For PRs, analyze changes
-          BASE_SHA="${{ github.event.pull_request.base.sha || github.event.before }}"
+          BASE_SHA="${{ github.event.pull_request.base.sha || github.event.before || 'origin/master' }}"
           script/ci-changes-detector "$BASE_SHA"
+      - name: Guard docs-only master pushes
+        if: github.event_name == 'push' && github.ref == 'refs/heads/master'
+        uses: ./.github/actions/ensure-master-docs-safety
+        with:
+          docs-only: ${{ steps.changes.outputs.docs_only }}
+          previous-sha: ${{ github.event.before }}

.github/workflows/examples.yml

@@ -4,7 +4,7 @@ on:
   push:
     branches:
       - 'master'
-    # Never skip on master - always run full test suite
+    # Always trigger on master; docs-only detection handles skipping heavy jobs
   pull_request:
     paths-ignore:
       - '**.md'
@@ -19,6 +19,9 @@ on:
 
 jobs:
   detect-changes:
+    permissions:
+      contents: read
+      actions: read
     runs-on: ubuntu-22.04
     outputs:
       docs_only: ${{ steps.detect.outputs.docs_only }}
@@ -54,6 +57,12 @@ jobs:
           BASE_REF="${{ github.event.pull_request.base.sha || github.event.before || 'origin/master' }}"
           script/ci-changes-detector "$BASE_REF"
         shell: bash
+      - name: Guard docs-only master pushes
+        if: github.event_name == 'push' && github.ref == 'refs/heads/master'
+        uses: ./.github/actions/ensure-master-docs-safety
+        with:
+          docs-only: ${{ steps.detect.outputs.docs_only }}
+          previous-sha: ${{ github.event.before }}
 
   setup-matrix:
     needs: detect-changes
@@ -79,7 +88,15 @@ jobs:
     needs: [detect-changes, setup-matrix]
     # Run on master, workflow_dispatch, OR when generators needed
     if: |
-      github.ref == 'refs/heads/master' || github.event_name == 'workflow_dispatch' || needs.detect-changes.outputs.run_generators == 'true'
+      !(
+        github.event_name == 'push' &&
+        github.ref == 'refs/heads/master' &&
+        needs.detect-changes.outputs.docs_only == 'true'
+      ) && (
+        github.ref == 'refs/heads/master' ||
+        github.event_name == 'workflow_dispatch' ||
+        needs.detect-changes.outputs.run_generators == 'true'
+      )
     strategy:
       fail-fast: false
       matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }}

.github/workflows/gem-tests.yml

@@ -4,7 +4,7 @@ on:
   push:
     branches:
       - 'master'
-    # Never skip on master - always run full test suite
+    # Always trigger on master; docs-only detection handles skipping heavy jobs
   pull_request:
     paths-ignore:
       - '**.md'
@@ -21,6 +21,9 @@ on:
 
 jobs:
   detect-changes:
+    permissions:
+      contents: read
+      actions: read
     runs-on: ubuntu-22.04
     outputs:
       docs_only: ${{ steps.detect.outputs.docs_only }}
@@ -56,6 +59,12 @@ jobs:
           BASE_REF="${{ github.event.pull_request.base.sha || github.event.before || 'origin/master' }}"
           script/ci-changes-detector "$BASE_REF"
         shell: bash
+      - name: Guard docs-only master pushes
+        if: github.event_name == 'push' && github.ref == 'refs/heads/master'
+        uses: ./.github/actions/ensure-master-docs-safety
+        with:
+          docs-only: ${{ steps.detect.outputs.docs_only }}
+          previous-sha: ${{ github.event.before }}
 
   setup-gem-tests-matrix:
     needs: detect-changes
@@ -77,9 +86,18 @@ jobs:
 
   rspec-package-tests:
     needs: [detect-changes, setup-gem-tests-matrix]
-    # Run on master OR when Ruby tests needed on PR
+    # Skip only if: master push AND docs-only changes
+    # Otherwise run if: on master OR Ruby tests needed
+    # This allows docs-only commits to skip heavy jobs while ensuring full CI on master for code changes
     if: |
-      (github.ref == 'refs/heads/master' || needs.detect-changes.outputs.run_ruby_tests == 'true')
+      !(
+        github.event_name == 'push' &&
+        github.ref == 'refs/heads/master' &&
+        needs.detect-changes.outputs.docs_only == 'true'
+      ) && (
+        github.ref == 'refs/heads/master' ||
+        needs.detect-changes.outputs.run_ruby_tests == 'true'
+      )
     strategy:
       fail-fast: false
       matrix: ${{ fromJson(needs.setup-gem-tests-matrix.outputs.matrix) }}

.github/workflows/integration-tests.yml

@@ -4,7 +4,7 @@ on:
   push:
     branches:
       - 'master'
-    # Never skip on master - always run full test suite
+    # Always trigger on master; docs-only detection handles skipping heavy jobs
   pull_request:
     paths-ignore:
       - '**.md'
@@ -20,6 +20,9 @@ on:
 
 jobs:
   detect-changes:
+    permissions:
+      contents: read
+      actions: read
     runs-on: ubuntu-22.04
     outputs:
       docs_only: ${{ steps.detect.outputs.docs_only }}
@@ -51,9 +54,15 @@ jobs:
             echo "docs_only=false" >> "$GITHUB_OUTPUT"
           else
             BASE_REF="${{ github.event.pull_request.base.sha || github.event.before || 'origin/master' }}"
-          script/ci-changes-detector "$BASE_REF"
+            script/ci-changes-detector "$BASE_REF"
           fi
         shell: bash
+      - name: Guard docs-only master pushes
+        if: github.event_name == 'push' && github.ref == 'refs/heads/master'
+        uses: ./.github/actions/ensure-master-docs-safety
+        with:
+          docs-only: ${{ steps.detect.outputs.docs_only }}
+          previous-sha: ${{ github.event.before }}
 
   setup-integration-matrix:
     needs: detect-changes
@@ -77,9 +86,19 @@ jobs:
 
   build-dummy-app-webpack-test-bundles:
     needs: [detect-changes, setup-integration-matrix]
-    # Run on master, workflow_dispatch, OR when tests needed on PR
+    # Skip only if: master push AND docs-only changes
+    # Otherwise run if: on master OR workflow_dispatch OR dummy tests needed
+    # This allows docs-only commits to skip heavy jobs while ensuring full CI on master for code changes
     if: |
-      github.ref == 'refs/heads/master' || github.event_name == 'workflow_dispatch' || needs.detect-changes.outputs.run_dummy_tests == 'true'
+      !(
+        github.event_name == 'push' &&
+        github.ref == 'refs/heads/master' &&
+        needs.detect-changes.outputs.docs_only == 'true'
+      ) && (
+        github.ref == 'refs/heads/master' ||
+        github.event_name == 'workflow_dispatch' ||
+        needs.detect-changes.outputs.run_dummy_tests == 'true'
+      )
     strategy:
       matrix: ${{ fromJson(needs.setup-integration-matrix.outputs.matrix) }}
     runs-on: ubuntu-22.04
@@ -154,7 +173,15 @@ jobs:
     needs: [detect-changes, setup-integration-matrix, build-dummy-app-webpack-test-bundles]
     # Run on master, workflow_dispatch, OR when tests needed on PR
     if: |
-      github.ref == 'refs/heads/master' || github.event_name == 'workflow_dispatch' || needs.detect-changes.outputs.run_dummy_tests == 'true'
+      !(
+        github.event_name == 'push' &&
+        github.ref == 'refs/heads/master' &&
+        needs.detect-changes.outputs.docs_only == 'true'
+      ) && (
+        github.ref == 'refs/heads/master' ||
+        github.event_name == 'workflow_dispatch' ||
+        needs.detect-changes.outputs.run_dummy_tests == 'true'
+      )
     strategy:
       matrix: ${{ fromJson(needs.setup-integration-matrix.outputs.matrix) }}
     runs-on: ubuntu-22.04

.github/workflows/lint-js-and-ruby.yml

@@ -4,7 +4,7 @@ on:
   push:
     branches:
       - 'master'
-    # Never skip on master - always run full test suite
+    # Always trigger on master; docs-only detection handles skipping heavy jobs
   pull_request:
     paths-ignore:
       - '**.md'
@@ -20,6 +20,9 @@ on:
 
 jobs:
   detect-changes:
+    permissions:
+      contents: read
+      actions: read
     runs-on: ubuntu-22.04
     outputs:
       docs_only: ${{ steps.detect.outputs.docs_only }}
@@ -54,10 +57,27 @@ jobs:
           BASE_REF="${{ github.event.pull_request.base.sha || github.event.before || 'origin/master' }}"
           script/ci-changes-detector "$BASE_REF"
         shell: bash
+      - name: Guard docs-only master pushes
+        if: github.event_name == 'push' && github.ref == 'refs/heads/master'
+        uses: ./.github/actions/ensure-master-docs-safety
+        with:
+          docs-only: ${{ steps.detect.outputs.docs_only }}
+          previous-sha: ${{ github.event.before }}
 
   build:
     needs: detect-changes
-    if: github.ref == 'refs/heads/master' || needs.detect-changes.outputs.run_lint == 'true'
+    # Skip only if: master push AND docs-only changes
+    # Otherwise run if: on master OR lint needed
+    # This allows docs-only commits to skip linting while ensuring full CI on master for code changes
+    if: |
+      !(
+        github.event_name == 'push' &&
+        github.ref == 'refs/heads/master' &&
+        needs.detect-changes.outputs.docs_only == 'true'
+      ) && (
+        github.ref == 'refs/heads/master' ||
+        needs.detect-changes.outputs.run_lint == 'true'
+      )
     env:
       BUNDLE_FROZEN: true
     runs-on: ubuntu-22.04