chore(ci): skip enrichment-metrics + mapping-count comments on doc-only PRs

.github/workflows/validate.yml

@@ -7,6 +7,33 @@ on:
     branches: [main]
 
 jobs:
+  changes:
+    # Detect whether the PR touches files that affect registry / build output.
+    # Doc-only PRs (audit catalogs, CHANGELOG, LICENSES, tools/) skip the noisy
+    # informational jobs (enrichment-metrics, mapping-count-regression) since
+    # they emit identical sticky comments on every run regardless of delta —
+    # which emails the PR author for no signal. See `.github/CONTRIBUTING.md`
+    # if you add a new gating job whose output should differ on doc PRs.
+    name: Detect changed paths
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    permissions:
+      pull-requests: read
+    outputs:
+      source: ${{ steps.filter.outputs.source }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dorny/paths-filter@v3
+        id: filter
+        with:
+          filters: |
+            source:
+              - 'data/**'
+              - 'scripts/**'
+              - 'CheckID.psd1'
+              - 'CheckID.psm1'
+              - '.github/workflows/**'
+
   lint:
     name: Lint PowerShell
     runs-on: ubuntu-latest
@@ -295,7 +322,8 @@ jobs:
 
   mapping-count-regression:
     name: Mapping Count Regression
-    if: github.event_name == 'pull_request'
+    needs: changes
+    if: github.event_name == 'pull_request' && needs.changes.outputs.source == 'true'
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -358,7 +386,8 @@ jobs:
 
   enrichment-metrics:
     name: Enrichment Metrics
-    if: github.event_name == 'pull_request'
+    needs: changes
+    if: github.event_name == 'pull_request' && needs.changes.outputs.source == 'true'
     runs-on: ubuntu-latest
     permissions:
       contents: read

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/).
 
 ## [Unreleased]
 
+### Changed
+
+- **CI: skip noisy informational PR comments on doc-only PRs.** The `enrichment-metrics` and `mapping-count-regression` jobs in `.github/workflows/validate.yml` now skip when a PR doesn't touch `data/`, `scripts/`, the module manifest, or the workflows themselves. Both jobs post sticky comments via `github-actions[bot]`; previously they fired on every PR including the v3.4.0 audit-doc series, emitting identical numbers and emailing the PR author for no signal. New `changes` job uses `dorny/paths-filter@v3` to detect source-affecting changes; gating happens via `needs: changes` + `if: needs.changes.outputs.source == 'true'`. PRs that legitimately change registry / build output still get the full sticky comments — only doc-only PRs are silent now.
+
 ### Documentation
 
 - **`docs/audits/conditional-access.md`** — first domain audit under the v3.4.0 umbrella ([#326](https://github.com/Galvnyz/CheckID/issues/326)). Resolves spike [#327](https://github.com/Galvnyz/CheckID/issues/327). Catalogs **42 canonical CA patterns** across 5 sub-domains (foundational, surface-area, external/guest, anti-pattern, modern 2024-2026), maps them against the registry's 26 existing CA-related checks, identifies **17 coverage gaps** to file as `feat:` issues, **6 narrative-refresh candidates**, and one consolidation opportunity (`ENTRA-CA-001` ↔ `CA-LEGACYAUTH-001`). Includes an AiTM defense matrix mapping CA controls to which adversary-in-the-middle phishing tradecraft they break, and a Graph endpoint detection-method appendix. Sets the methodology template for the remaining 13 v3.4.0 domain spikes.