From 2fd3c2403571125dbb1ff9af0854111c4b538bac Mon Sep 17 00:00:00 2001
From: Stefan Krawczyk <stefank@cs.stanford.edu>
Date: Sat, 2 May 2026 18:52:47 -0700
Subject: [PATCH] ci: fix required checks blocking Dependabot PRs

Remove paths-ignore from release-validation workflow and add a
check-paths job that detects whether the full validation should run.
When only docs/ or website/ files change, the build-artifacts and
install-and-smoke jobs are skipped rather than never triggered, which
satisfies branch protection required check requirements.
---
 .github/workflows/release-validation.yml | 35 +++++++++++++++++++-----
 1 file changed, 28 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/release-validation.yml b/.github/workflows/release-validation.yml
index 375ff4df..6271cd80 100644
--- a/.github/workflows/release-validation.yml
+++ b/.github/workflows/release-validation.yml
@@ -35,12 +35,6 @@ on:
       - 'v*.*.*-incubating-RC*'
   pull_request:
     types: [opened, synchronize, reopened]
-    paths-ignore:
-      - 'docs/**'
-      - 'website/**'
-      # Note: do NOT use '**/*.md' here. Some bundled examples ship .md files
-      # (e.g. examples/deployment/aws/terraform/tutorial.md) and a missing
-      # ASF header on those would cause a real RAT failure we want to catch.
   workflow_dispatch:
 
 concurrency:
@@ -51,8 +45,34 @@ permissions:
   contents: read
 
 jobs:
+  check-paths:
+    name: "Release Validation / check-paths"
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    outputs:
+      should_run: ${{ steps.check.outputs.should_run }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - id: check
+        run: |
+          if [ "${{ github.event_name }}" != "pull_request" ]; then
+            echo "should_run=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          CHANGED=$(git diff --name-only origin/${{ github.base_ref }}...HEAD)
+          # If any changed file is outside docs/ and website/, run the full validation
+          if echo "$CHANGED" | grep -qvE '^(docs/|website/)'; then
+            echo "should_run=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "should_run=false" >> "$GITHUB_OUTPUT"
+          fi
+
   build-artifacts:
     name: "Release Validation / build-artifacts"
+    needs: check-paths
+    if: needs.check-paths.outputs.should_run == 'true'
     runs-on: ubuntu-latest
     timeout-minutes: 20
     outputs:
@@ -134,7 +154,8 @@ jobs:
 
   install-and-smoke:
     name: "Release Validation / install-and-smoke"
-    needs: build-artifacts
+    needs: [check-paths, build-artifacts]
+    if: needs.check-paths.outputs.should_run == 'true'
     runs-on: ubuntu-latest
     timeout-minutes: 10
     strategy: