Improve GitHub Workflow performance

.github/workflows/build.yml

@@ -3,12 +3,34 @@ name: Build
 # Validates GoReleaser can build on all branches (fork-friendly)
 on:
   pull_request:
+    paths:
+      - "**.go"
+      - "go.mod"
+      - "go.sum"
+      - ".goreleaser.yaml"
+      - "scripts/windows/**"
+      - ".github/workflows/build.yml"
+      - ".github/workflows/release.yml"
+      - ".github/workflows/release-fork.yml"
   push:
     branches:
       - '**'  # Run on all branches
+    paths:
+      - "**.go"
+      - "go.mod"
+      - "go.sum"
+      - ".goreleaser.yaml"
+      - "scripts/windows/**"
+      - ".github/workflows/build.yml"
+      - ".github/workflows/release.yml"
+      - ".github/workflows/release-fork.yml"
 
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
   goreleaser-build:
     name: Build opkssh with GoReleaser
@@ -23,7 +45,6 @@ jobs:
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: 'go.mod'
-          cache: false
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
         with:

.github/workflows/ci.yml

@@ -4,23 +4,39 @@ name: CI
 # This allows fork developers to get CI feedback on their branches
 on:
   pull_request:
+    paths:
+      - "**.go"
+      - "go.mod"
+      - "go.sum"
+      - "policy/**"
+      - "scripts/**"
+      - "test/**"
+      - ".github/workflows/**"
   push:
     branches:
       - '**'  # Run on all branches
-  # schedule:
-  #   - cron: 0 14 * * MON-FRI # Every weekday at 14:00 UTC
+    paths:
+      - "**.go"
+      - "go.mod"
+      - "go.sum"
+      - "policy/**"
+      - "scripts/**"
+      - "test/**"
+      - ".github/workflows/**"
+  workflow_dispatch:
 
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
-  # Check that binary can be built
+  # Check that binary can be built.
   build:
     name: Build
     runs-on: ubuntu-24.04
     timeout-minutes: 5
-    strategy:
-      matrix:
-        go-version: [1.24.x]
     steps:
     - name: Checkout
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -29,13 +45,11 @@ jobs:
     - name: Install Go
       uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
       with:
-        go-version: ${{ matrix.go-version }}
-    - name: Install dependencies
-      run: go mod download
+        go-version-file: 'go.mod'
     - name: Build
       run: go build -v -o /dev/null
-  
-  # Check that binary can be built on Windows
+
+  # Check that binary can be built on Windows.
   build-windows:
     name: Build Windows
     runs-on: windows-latest
@@ -46,11 +60,9 @@ jobs:
       with:
         persist-credentials: false
     - name: Install Go
-      uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+      uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
       with:
         go-version-file: 'go.mod'
-    - name: Install dependencies
-      run: go mod download
     - name: Build Windows AMD64
       shell: pwsh
       run: |
@@ -67,8 +79,8 @@ jobs:
       shell: pwsh
       run: |
         .\opkssh-amd64.exe --version
-  
-  # Run Windows unit tests
+
+  # Run Windows unit tests.
   test-windows:
     name: 'Windows Tests'
     runs-on: windows-latest
@@ -79,20 +91,19 @@ jobs:
       with:
         persist-credentials: false
     - name: Install Go
-      uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+      uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
       with:
         go-version-file: 'go.mod'
-    - name: Install dependencies
-      run: go mod download
     - name: Run unit tests
       shell: pwsh
       run: go test ./...
     - name: Run Pester tests
       shell: pwsh
       run: Invoke-Pester -Path scripts/windows/test -Output Detailed
-  
-  # Check that binary can be built natively on Windows ARM64
+
+  # Keep expensive Windows ARM64 coverage on the upstream repository.
   build-windows-arm64:
+    if: github.repository == 'openpubkey/opkssh' && (github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch')
     name: Build Windows ARM64
     runs-on: windows-11-arm
     timeout-minutes: 5
@@ -105,18 +116,17 @@ jobs:
       uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
       with:
         go-version-file: 'go.mod'
-    - name: Install dependencies
-      run: go mod download
     - name: Build Windows ARM64
       shell: pwsh
       run: go build -v -o opkssh-arm64.exe
     - name: Test binary works
       shell: pwsh
       run: |
         .\opkssh-arm64.exe --version
-  
-  # Run Windows ARM64 unit tests
+
+  # Keep expensive Windows ARM64 coverage on the upstream repository.
   test-windows-arm64:
+    if: github.repository == 'openpubkey/opkssh' && (github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch')
     name: 'Windows ARM64 Tests'
     runs-on: windows-11-arm
     timeout-minutes: 8
@@ -129,25 +139,19 @@ jobs:
       uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
       with:
         go-version-file: 'go.mod'
-    - name: Install dependencies
-      run: go mod download
     - name: Run unit tests
       shell: pwsh
       run: go test ./...
-  
-  # Run integration tests
+
+  # Run integration tests on x64 for every relevant change.
   test:
-    needs: build
     name: 'Integration Tests'
-    runs-on: ${{ matrix.runs_on }}
+    runs-on: ubuntu-24.04
     timeout-minutes: 8
     strategy:
+      fail-fast: false
       matrix:
-        runs_on: [ubuntu-24.04, ubuntu-24.04-arm]
         os: [ubuntu, centos, arch, opensuse]
-        exclude:
-          - runs_on: ubuntu-24.04-arm
-            os: arch
     env:
       OS_TYPE: ${{ matrix.os }}
     steps:
@@ -160,11 +164,36 @@ jobs:
       with:
         go-version-file: 'go.mod'
     - name: Install Docker
-      uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
-    - name: Install dependencies
-      run: go mod download
+      uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
     - name: Run integration tests
       run: go test -tags=integration ./test/integration -timeout=15m -count=1 -parallel=2 -v
+
+  # Keep ARM integration coverage on the upstream repository.
+  test-arm:
+    if: github.repository == 'openpubkey/opkssh' && (github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch')
+    name: 'Integration Tests ARM64'
+    runs-on: ubuntu-24.04-arm
+    timeout-minutes: 8
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu, centos, opensuse]
+    env:
+      OS_TYPE: ${{ matrix.os }}
+    steps:
+    - name: Checkout
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        persist-credentials: false
+    - name: Install Go
+      uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+      with:
+        go-version-file: 'go.mod'
+    - name: Install Docker
+      uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+    - name: Run integration tests
+      run: go test -tags=integration ./test/integration -timeout=15m -count=1 -parallel=2 -v
+
   lint-scripts:
     name: Shell Scripts Lint & Test
     runs-on: ubuntu-24.04

.github/workflows/cli-docs.yml

@@ -1,15 +1,21 @@
 name: CLI Docs
 
-# Runs CI when code merges to the CLI on main
+# Runs CI when code merges to the CLI on main.
 on:
   push:
     branches:
       - main
     paths:
       - "main.go"
+      - "commands/**"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
   check-updates:
+    if: github.repository == 'openpubkey/opkssh'
     name: Check for updates to the CLI docs
     runs-on: ubuntu-latest
     permissions: