fix(ci): stop pgvector-embedded rebuild firing on every release tag

[buremba]

Problem

The build-pgvector-embedded workflow opened a "rebuild prebuilt artifacts" PR on every release — #972, #974, #975, #977, #979, #980, #981, #996, #1002, #1005, #1025, #1029.

Two compounding causes:

1. The push trigger fired on release tags. It used a bare paths filter (no branches). GitHub can't compute a file diff for a freshly-created ref, so it ignores paths and runs the workflow anyway. Every release-please tag (lobu-vX.Y.Z) therefore kicked off a full rebuild. Verified: the commit behind chore(pgvector-embedded): rebuild prebuilt artifacts (v0.8.1) #1029 (d75d07ab, the 9.3.0 release) touches neither build.sh nor the workflow file, yet the run fired.
2. The builds aren't byte-reproducible. The open-pr job only opens a PR when the rebuilt artifacts differ (git diff --cached --quiet). They differ every time — embedded timestamps/paths in the compiled .so/.dylib — so each tag-triggered rebuild produced a real (but meaningless) diff and a PR.

Fix

• Scope the push trigger to branches: [main] so tag refs no longer match.
• Drop the workflow file itself from paths — only build.sh affects the artifacts, and this also stops the workflow self-triggering when its own YAML is edited (e.g. this PR).

workflow_dispatch still covers the only times a rebuild is actually wanted: a deliberate pgvector version or PG major bump.

The vendored binaries stay committed and shipped — they're the pgvector extension that vanilla embedded-postgres lacks, required for vector search in lobu run. This only stops the automatic rebuild on release.

Follow-up (not in this PR)

Making the pgvector build reproducible (SOURCE_DATE_EPOCH, -ffile-prefix-map, deterministic strip) would let even a deliberate build.sh-change rerun no-op when nothing meaningful changed. Optional hardening.

Test

YAML validates (yaml.safe_load). Behavior change is in event filtering only — no build-step changes.

Summary by CodeRabbit

• Chores
  • Optimized build workflow to trigger only when relevant changes occur on the main branch, reducing unnecessary rebuilds and improving resource efficiency.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: c241b582-9dec-4e0a-96ac-b92c32f47eb1

📥 Commits

Reviewing files that changed from the base of the PR and between 60c6e73 and 529775d.

📒 Files selected for processing (1)

• .github/workflows/build-pgvector-embedded.yml

---

📝 Walkthrough

Walkthrough

The pgvector-embedded build workflow's push trigger is narrowed to only run on the main branch and only when packages/pgvector-embedded/scripts/build.sh changes. The workflow documentation comment is updated, and the paths filter no longer includes the workflow YAML itself.

Changes

pgvector-embedded build trigger refinement

Layer / File(s)	Summary
Build trigger narrowing to main branch and build script changes .github/workflows/build-pgvector-embedded.yml	Workflow documentation comment updated to describe the build script impact. Push trigger configuration adds branches: [main] restriction and changes paths filter to monitor only packages/pgvector-embedded/scripts/build.sh, removing the workflow file from automatic rebuild conditions.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• lobu-ai/lobu#986: Modifies GitHub Actions workflows to ensure packages/pgvector-embedded is built in CI contexts, directly related to workflow configuration for the same build artifact.

Poem

🐰 A trigger refined with care and grace,
Main branch only, its rightful place,
Build script watched, but not the deed,
No loop of self—just what you need! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description provides comprehensive context (problem, two root causes, fix details, and follow-up), but lacks the required test plan section from the template with checkboxes for validation steps.	Add a Test plan section with the appropriate checkboxes (e.g., YAML validation completed, behavior verified), even if some items don't apply to this CI-only change.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: preventing the pgvector-embedded rebuild workflow from triggering on release tags by scoping the push trigger to the main branch.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/pgvector-workflow-fix

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[buremba]

bug_free 92, simplicity 96, slop 0, bugs 0, 0 blockers

Read local diff and logs: typecheck, unit, and integration all exited 0. Exploratory: ran actionlint on .github/workflows/build-pgvector-embedded.yml; no issues reported. Change is limited to scoping the pgvector artifact workflow push trigger to main/build.sh.

Full verdict JSON

{
  "bug_free_confidence": 92,
  "bugs": 0,
  "slop": 0,
  "simplicity": 96,
  "blockers": [],
  "change_type": "fix",
  "behavior_change_risk": "low",
  "tests_adequate": true,
  "suggested_fixes": [],
  "notes": "Read local diff and logs: typecheck, unit, and integration all exited 0. Exploratory: ran actionlint on .github/workflows/build-pgvector-embedded.yml; no issues reported. Change is limited to scoping the pgvector artifact workflow push trigger to main/build.sh.",
  "categories": {
    "src": 0,
    "tests": 0,
    "docs": 0,
    "config": 0,
    "deps": 0,
    "migrations": 0,
    "ci": 10,
    "generated": 0
  }
}

Local review gate — branch protection can require the pi-review commit status. See docs/REVIEW_SCHEMA.md.