From 40c4950a527ea0ceb943b9bd7695140d740de146 Mon Sep 17 00:00:00 2001
From: knhn1004 <49494541+knhn1004@users.noreply.github.com>
Date: Wed, 6 May 2026 17:21:45 -0700
Subject: [PATCH] Scope CI jobs by touched entries

---
 .github/workflows/ci.yml | 42 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 163e545..4aaec54 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -11,11 +11,45 @@ concurrency:
 
 permissions:
   contents: read
+  pull-requests: read
 
 jobs:
+  changes:
+    name: detect touched entries
+    runs-on: ubuntu-latest
+    outputs:
+      cli: ${{ steps.filter.outputs.cli }}
+      dashboard_ui: ${{ steps.filter.outputs['dashboard-ui'] }}
+      ledger: ${{ steps.filter.outputs.ledger }}
+      control_plane: ${{ steps.filter.outputs['control-plane'] }}
+      gitleaks: ${{ steps.filter.outputs.gitleaks }}
+    steps:
+      - uses: actions/checkout@v6
+      - id: filter
+        uses: dorny/paths-filter@v3
+        with:
+          filters: |
+            cli:
+              - "cli/**"
+              - ".github/workflows/ci.yml"
+            dashboard-ui:
+              - "control-plane/dashboard-ui/**"
+              - ".github/workflows/ci.yml"
+            ledger:
+              - "ledger/**"
+              - ".github/workflows/ci.yml"
+            control-plane:
+              - "control-plane/**"
+              - "ledger/**"
+              - ".github/workflows/ci.yml"
+            gitleaks:
+              - "**"
+
   cli:
     name: cli (bun typecheck + tests)
     runs-on: ubuntu-latest
+    needs: changes
+    if: needs.changes.outputs.cli == 'true'
     steps:
       - uses: actions/checkout@v6
       - uses: oven-sh/setup-bun@v2
@@ -36,6 +70,8 @@ jobs:
   dashboard-ui:
     name: dashboard-ui (typecheck + build)
     runs-on: ubuntu-latest
+    needs: changes
+    if: needs.changes.outputs.dashboard_ui == 'true'
     steps:
       - uses: actions/checkout@v6
       - uses: oven-sh/setup-bun@v2
@@ -56,6 +92,8 @@ jobs:
   ledger:
     name: ledger (cargo test)
     runs-on: ubuntu-latest
+    needs: changes
+    if: needs.changes.outputs.ledger == 'true'
     steps:
       - uses: actions/checkout@v6
       - uses: dtolnay/rust-toolchain@stable
@@ -67,6 +105,8 @@ jobs:
   control-plane:
     name: control-plane (go vet + go test -race)
     runs-on: ubuntu-latest
+    needs: changes
+    if: needs.changes.outputs.control_plane == 'true'
     steps:
       - uses: actions/checkout@v6
       - uses: actions/setup-go@v5
@@ -104,6 +144,8 @@ jobs:
   gitleaks:
     name: gitleaks (secret scan)
     runs-on: ubuntu-latest
+    needs: changes
+    if: needs.changes.outputs.gitleaks == 'true'
     steps:
       - uses: actions/checkout@v6
         with: { fetch-depth: 0 }