diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index c3acd66..363f20e 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -7,6 +7,33 @@ on: branches: [main] jobs: + changes: + # Detect whether the PR touches files that affect registry / build output. + # Doc-only PRs (audit catalogs, CHANGELOG, LICENSES, tools/) skip the noisy + # informational jobs (enrichment-metrics, mapping-count-regression) since + # they emit identical sticky comments on every run regardless of delta — + # which emails the PR author for no signal. See `.github/CONTRIBUTING.md` + # if you add a new gating job whose output should differ on doc PRs. + name: Detect changed paths + runs-on: ubuntu-latest + if: github.event_name == 'pull_request' + permissions: + pull-requests: read + outputs: + source: ${{ steps.filter.outputs.source }} + steps: + - uses: actions/checkout@v4 + - uses: dorny/paths-filter@v3 + id: filter + with: + filters: | + source: + - 'data/**' + - 'scripts/**' + - 'CheckID.psd1' + - 'CheckID.psm1' + - '.github/workflows/**' + lint: name: Lint PowerShell runs-on: ubuntu-latest @@ -295,7 +322,8 @@ jobs: mapping-count-regression: name: Mapping Count Regression - if: github.event_name == 'pull_request' + needs: changes + if: github.event_name == 'pull_request' && needs.changes.outputs.source == 'true' runs-on: ubuntu-latest permissions: contents: read @@ -358,7 +386,8 @@ jobs: enrichment-metrics: name: Enrichment Metrics - if: github.event_name == 'pull_request' + needs: changes + if: github.event_name == 'pull_request' && needs.changes.outputs.source == 'true' runs-on: ubuntu-latest permissions: contents: read diff --git a/CHANGELOG.md b/CHANGELOG.md index ca822ae..6aa056d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/). ## [Unreleased] +### Changed + +- **CI: skip noisy informational PR comments on doc-only PRs.** The `enrichment-metrics` and `mapping-count-regression` jobs in `.github/workflows/validate.yml` now skip when a PR doesn't touch `data/`, `scripts/`, the module manifest, or the workflows themselves. Both jobs post sticky comments via `github-actions[bot]`; previously they fired on every PR including the v3.4.0 audit-doc series, emitting identical numbers and emailing the PR author for no signal. New `changes` job uses `dorny/paths-filter@v3` to detect source-affecting changes; gating happens via `needs: changes` + `if: needs.changes.outputs.source == 'true'`. PRs that legitimately change registry / build output still get the full sticky comments — only doc-only PRs are silent now. + ### Documentation - **`docs/audits/conditional-access.md`** — first domain audit under the v3.4.0 umbrella ([#326](https://github.com/Galvnyz/CheckID/issues/326)). Resolves spike [#327](https://github.com/Galvnyz/CheckID/issues/327). Catalogs **42 canonical CA patterns** across 5 sub-domains (foundational, surface-area, external/guest, anti-pattern, modern 2024-2026), maps them against the registry's 26 existing CA-related checks, identifies **17 coverage gaps** to file as `feat:` issues, **6 narrative-refresh candidates**, and one consolidation opportunity (`ENTRA-CA-001` ↔ `CA-LEGACYAUTH-001`). Includes an AiTM defense matrix mapping CA controls to which adversary-in-the-middle phishing tradecraft they break, and a Graph endpoint detection-method appendix. Sets the methodology template for the remaining 13 v3.4.0 domain spikes.