Refactor "code check" GitHub workflow for execution speed

[forstmeier]

Overview

Changes

• update workflow for per-language change checks
• update Coveralls upload for updated language coverage

Context

Minor update because I'm tired of Rust running on every single run even with the cache.

Summary by CodeRabbit

• Chores
  • CI now detects changed areas and conditionally runs language-specific checks only when relevant (Rust still always runs on main).
  • Coverage reporting simplified: per-language reports are checked for presence and uploaded in parallel to Coveralls; redundant artifact merge/download steps removed.
  • Added a final verification step that fails the workflow if any required check neither succeeded nor was skipped.
  • Workflow declares minimal top-level permissions for repo operations.

[coderabbitai]

📝 Walkthrough

Walkthrough

Added a change-detection job to conditionally run language-specific CI checks, rewrote coverage upload to use parallel Coveralls uploads and a parallel-finished finalizer, and added a verification job plus workflow permissions to fail the run when required checks neither succeeded nor were skipped.

Changes

Cohort / File(s)	Summary
Workflow: change detection & conditional jobs .github/workflows/run_code_checks.yaml	Added detect_changes job using dorny/paths-filter with outputs rust, python, markdown, yaml. Updated run_*_code_checks jobs to needs: detect_changes and gated execution via if: conditions (Rust still runs on master).
Workflow: coverage upload rewrite .github/workflows/run_code_checks.yaml	Removed artifact upload/download/merge steps. Per-language jobs now call coverallsapp/github-action@v2 with flag-name/file and parallel: true. Renamed upload_test_coverage → finish_coverage_upload, using parallel-finished: true and carryforward: rust,python; added per-language existence checks for expected coverage files.
Workflow: verification & permissions .github/workflows/run_code_checks.yaml	Added verify_code_checks_passed job that runs always() and fails workflow when required jobs' results are not success/skipped. Added top-level workflow permissions (contents: read, pull-requests: read, statuses: write).

Sequence Diagram(s)

mermaid
sequenceDiagram
participant Detect as Detect Changes (paths-filter)
participant Runner as GitHub Actions Runner
participant Jobs as Language Jobs (Rust/Python/Markdown/YAML)
participant Coveralls as Coveralls Action
participant Finish as Finish Coveralls
participant Verify as Verify Checks
Detect->>Runner: emit outputs (rust, python, markdown, yaml)
Runner->>Jobs: conditionally start per-language jobs based on outputs
Jobs->>Coveralls: upload coverage parts (parallel, flag-name) or fail if file missing
Coveralls->>Finish: receive parallel parts
Runner->>Finish: trigger parallel-finished (carryforward: rust,python)
Finish->>Verify: report final upload status
Verify->>Runner: fail workflow if required jobs not success/skipped

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• Add YAML/expand Python tooling checks #759: Modifies the same .github/workflows/run_code_checks.yaml, altering job definitions and conditional logic.
• Add Markdown check/add language-specific triggers #746: Adds language-specific detect_changes gating using dorny/paths-filter in CI workflows.
• Remove parallel mode from Coveralls check #517: Changes Coveralls upload behavior (parallel/flag-name) similar to this PR.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: refactoring the GitHub workflow to execute code checks only for languages with relevant file changes, which directly improves execution speed by eliminating unnecessary jobs.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch language-specific-github-workflows-checks

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR refactors the run_code_checks GitHub Actions workflow to add path-based change detection so that language-specific check jobs (Rust, Python, Markdown, YAML) only run when relevant files are modified. Rust checks retain an unconditional run on master pushes to keep the cache warm. Coverage reporting is simplified from artifact-upload-then-download to direct per-language parallel uploads to Coveralls, with a finalization step. A new verify_code_checks_passed gate job ensures no check silently passes in a cancelled or failed state.

Key changes:

• New detect_changes job using dorny/paths-filter@v3 drives conditional execution for all four language jobs.
• Rust checks always run on master (github.ref == 'refs/heads/master') to maintain the Swatinem rust-cache; other languages are fully conditional.
• Coverage uploads are now inline within each language job (parallel: true) with a shared finish_coverage_upload finalization step; carryforward: rust,python handles the case where one language job was skipped.
• verify_code_checks_passed iterates all job results and fails if any result is neither success nor skipped, providing a reliable branch-protection target.
• Top-level permissions block explicitly scopes to contents: read, pull-requests: read, and statuses: write.

Confidence Score: 5/5

Safe to merge — logic is correct across all conditional execution paths, coverage finalization, and the verify gate.

The workflow change is well-reasoned and internally consistent. The conditional || in finish_coverage_upload correctly handles the case where only one language job ran. The carryforward setting handles skipped jobs gracefully. The verify job correctly treats both success and skipped as acceptable states. No P0 or P1 issues were identified.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/run_code_checks.yaml	Refactors CI to add path-based change detection, per-language conditional execution, direct parallel Coveralls uploads, and a final verification job — logic is sound with no critical issues.

_{Reviews (7): Last reviewed commit: "Merge branch 'master' into language-spec..." | Re-trigger Greptile}

[coderabbitai]

Warning

CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.

Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.

👉 Steps to fix this

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/run_code_checks.yaml:
- Around line 11-39: Add a workflow-level permissions block to restrict
GITHUB_TOKEN to least privilege: in the workflow that defines the detect_changes
job (and the dorny/paths-filter step) add a top-level permissions: entry
granting only pull-requests: read (required by dorny/paths-filter) plus any
other minimal permissions needed by downstream steps (e.g., statuses: write if
Coveralls needs it); ensure no broad permissions like write-all are used and
GITHUB_TOKEN is not implicitly allowed beyond these explicit permissions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: c9e0e742-6dbc-4f82-b3a3-dca34316d988

📥 Commits

Reviewing files that changed from the base of the PR and between a8d8527 and 1f44e81.

📒 Files selected for processing (1)

• .github/workflows/run_code_checks.yaml

[Copilot]

Pull request overview

Refactors the run_code_checks GitHub Actions workflow to reduce CI runtime by only running language-specific checks when relevant files change, and updates coverage reporting to Coveralls using parallel uploads.

Changes:

• Add a detect_changes job (via dorny/paths-filter) and gate Rust/Python/Markdown/YAML jobs based on detected file changes.
• Switch Rust/Python coverage handling from artifact upload/download to per-job Coveralls uploads with a final “parallel-finished” step.
• Add a final verify_all_checks_passed job to fail the workflow if any required job fails/cancels (while allowing skipped jobs).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Warning

CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.

Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.

👉 Steps to fix this

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/run_code_checks.yaml:
- Around line 30-49: The workflow filters currently won't match the workflow
file itself or the shared CI inputs; update the filter sets so the
Rust/Python/Markdown/YAML groups include the workflow and shared inputs patterns
(e.g., add a pattern matching the workflows directory or this file such as
'.github/**' or specifically the workflow filename) and ensure '.flox/**' and
'devenv.*' are present in the Markdown and YAML filter blocks as well so the
refactored job paths and Flox/devenv inputs are exercised; adjust the keys shown
(rust, python, markdown, yaml) to include those additional patterns so
run_code_checks.yaml and shared CI files are detected.
- Around line 151-164: The Coveralls finalization step currently runs when
either language job succeeds (using OR) which allows publishing stale coverage
via the carryforward parameter even if the other job failed; update the workflow
`if` condition for the "Finalize coverage upload" step to require both
`needs.run_rust_code_checks.result == 'success'` AND
`needs.run_python_code_checks.result == 'success'` (so the step only runs when
both language checks succeeded) and keep `parallel-finished`/`carryforward`
as-is for true skipped jobs.
- Around line 90-96: Guard the Coveralls upload step by checking
.coverage_output/rust.xml exists before running it: add a preliminary step (id:
check-rust-coverage) that runs a shell test like [ -f .coverage_output/rust.xml
] and sets an output (rust_exists) to "true" or "false", and then add an if:
condition on the Coveralls step (the step using coverallsapp/github-action@v2)
such as if: steps.check-rust-coverage.outputs.rust_exists == 'true' so the
upload (file: .coverage_output/rust.xml, flag-name: rust) only runs when the
rust.xml file is present.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: be848c89-f25e-4c8d-ade6-dcd691db6a4d

📥 Commits

Reviewing files that changed from the base of the PR and between 1f44e81 and 45815d9.

📒 Files selected for processing (1)

• .github/workflows/run_code_checks.yaml

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Warning

CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.

Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.

👉 Steps to fix this

Actionable comments posted: 1

♻️ Duplicate comments (1)

.github/workflows/run_code_checks.yaml (1)

168-173: ⚠️ Potential issue | 🟡 Minor

Coveralls finalization may still mask failed jobs with stale coverage.

The current condition allows parallel-finished to run when one job succeeds and the other fails. With carryforward: rust,python, a failed Python job would still publish the last known Python coverage from a previous build, masking the failure in coverage metrics.

Consider strengthening the condition to ensure neither job failed:

🧭 Suggested condition to prevent stale coverage on failure

     if: |
       always() &&
+      (
+        needs.run_rust_code_checks.result == 'success' ||
+        needs.run_rust_code_checks.result == 'skipped'
+      ) &&
+      (
+        needs.run_python_code_checks.result == 'success' ||
+        needs.run_python_code_checks.result == 'skipped'
+      ) &&
       (
         needs.run_rust_code_checks.result == 'success' ||
         needs.run_python_code_checks.result == 'success'
       )

This ensures coverage is only finalized when all language jobs either passed or were intentionally skipped (no changes detected), preventing stale carryforward data from masking actual test failures.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/run_code_checks.yaml around lines 168 - 173, The
parallel-finished job currently runs when either run_rust_code_checks OR
run_python_code_checks succeeded, allowing carryforward to publish stale
coverage; update the job's if condition (the expression under the if: for the
parallel-finished step) to only proceed when neither
needs.run_rust_code_checks.result nor needs.run_python_code_checks.result is
'failure' (e.g., require both results != 'failure' or explicitly require each is
one of success/skipped/neutral), so that a failed language job prevents
finalizing Coveralls when using carryforward: rust,python.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/run_code_checks.yaml:
- Around line 128-134: Add the same file-existence guard used for Rust: create a
prior step (e.g., "Check Python coverage file") that checks for
.coverage_output/python.xml and sets an output like coverage_exists, then add an
if condition to the "Upload coverage to Coveralls" step so it only runs when
that output is true; reference the step name "Upload coverage to Coveralls" and
the target file ".coverage_output/python.xml" when making the change.

---

Duplicate comments:
In @.github/workflows/run_code_checks.yaml:
- Around line 168-173: The parallel-finished job currently runs when either
run_rust_code_checks OR run_python_code_checks succeeded, allowing carryforward
to publish stale coverage; update the job's if condition (the expression under
the if: for the parallel-finished step) to only proceed when neither
needs.run_rust_code_checks.result nor needs.run_python_code_checks.result is
'failure' (e.g., require both results != 'failure' or explicitly require each is
one of success/skipped/neutral), so that a failed language job prevents
finalizing Coveralls when using carryforward: rust,python.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: e3cd527d-3399-466f-b210-e100d418d435

📥 Commits

Reviewing files that changed from the base of the PR and between 45815d9 and 26fb00c.

📒 Files selected for processing (1)

• .github/workflows/run_code_checks.yaml

[coveralls]

coverage: 78.162% (+0.06%) from 78.101%
when pulling 6777dea on language-specific-github-workflows-checks
into 2feadf6 on master.

[coderabbitai]

Warning

CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.

Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.

👉 Steps to fix this

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/run_code_checks.yaml:
- Around line 111-115: The workflow job run_python_code_checks lacks a timeout
and can hang indefinitely; add a timeout-minutes setting to the job definition
(e.g., timeout-minutes: 60) under the run_python_code_checks job to mirror the
Rust job and prevent hung CI runs, ensuring the timeout is placed alongside
runs-on and other job-level keys in the job block.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 370d3000-87ad-455a-9dfc-73fca4a10ec0

📥 Commits

Reviewing files that changed from the base of the PR and between 26fb00c and 9a4fee9.

📒 Files selected for processing (1)

• .github/workflows/run_code_checks.yaml

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.