ci: add path-based filtering and rollup for container image builds

[mangelajo]

Problem

The build-images workflow builds all 8 container images on every merge queue run, even when most images' dependencies haven't changed. There's also no rollup job for use as a required status check.

Changes

Path-based filtering per image

Added a changes job using dorny/paths-filter that detects which Containerfile dependencies were modified. Each matrix entry now has a filter key mapping to a path filter:

Filter	Images	Trigger paths
controller	jumpstarter-controller	controller/{Containerfile,go.mod,go.sum,cmd/,api/,internal/}
operator	jumpstarter-operator	controller/{Containerfile.operator,go.*,api/,internal/,deploy/operator/}
operator-bundle	jumpstarter-operator-bundle	controller/deploy/operator/{Containerfile.bundle,bundle/}
microshift	microshift/bootc	controller/deploy/microshift-bootc/, controller/deploy/operator/dist/
python	jumpstarter, jumpstarter-devspace	python/
python-utils	jumpstarter-utils	python/Containerfile.utils
python-dev	jumpstarter-dev	python/.devfile/Containerfile, .py-version

Behavior by event

Event	What gets built
push (main/tags/release)	All images (always)
workflow_dispatch	All images (always)
pull_request (labeled)	Labeled images only (existing behavior preserved)
merge_group	Only images whose dependencies changed

Rollup job

Added an image-builds rollup job that can be set as a single required status check in branch protection. It passes when all builds succeed or are intentionally skipped (no changes), and fails on actual failures or cancellations.

Required status check

Add image-builds to branch protection required checks. This single check covers all container image builds regardless of how many were skipped vs built.

[coderabbitai]

📝 Walkthrough

Walkthrough

The build-images.yaml workflow is updated to wire per-image dorny/paths-filter outputs into merge_group build decisions, add a filter key to each matrix entry, reformulate the build-and-push-image job condition into a multiline expression, and introduce an always-run image-builds aggregator job that exits non-zero on any failure or cancellation.

Changes

Image Build Gating and Failure Reporting

Layer / File(s)	Summary
Path-filter outputs and job condition .github/workflows/build-images.yaml	Reshapes the changes job to emit named per-component outputs and rewrites the build-and-push-image if: condition as a multiline expression covering non-PR events and the build-pr-images label check.
Matrix filter key standardization .github/workflows/build-images.yaml	Adds a filter key to each matrix entry (controller, operator, microshift, Python images) aligned to the corresponding changes job output name.
Event-aware build step logic .github/workflows/build-images.yaml	Replaces the PR-only skip/build block with an event-dispatched shell block: push/workflow_dispatch always builds, pull_request uses label-based filtering, and merge_group builds only when needs.changes.outputs[matrix.filter] signals relevant file changes.
image-builds aggregator job .github/workflows/build-images.yaml	Adds an if: always() aggregator job that iterates over needed job results and forces exit 1 on any failure or cancelled result while allowing skipped jobs to pass.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• jumpstarter-dev/jumpstarter#255: Introduced the original build-pr-images label-based per-image skip/gating logic in the same build-images.yaml workflow that this PR extends with merge_group support and failure aggregation.

Suggested reviewers

• bennyz
• raballew
• evakhoni

Poem

🐇 Hop, hop through the merge queue I go,
Checking each filter for files changed below.
If skipped — no fuss, just a gentle pass,
If failed — I thump and the workflow won't last.
Labels and events, all neatly in line,
This rabbit ensures every build is just fine! 🌟

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely describes the main changes: adding path-based filtering and a rollup job for container image builds in CI.
Description check	✅ Passed	The description is directly related to the changeset, providing detailed context about the problem, implementation strategy, and expected behavior.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/image-builds-path-filter

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build-images.yaml:
- Around line 32-34: The actions/checkout step in the changes job is persisting
credentials by default, which unnecessarily exposes authentication tokens since
this job only performs local path filtering with dorny/paths-filter that
requires no authenticated operations. Add persist-credentials: false to the with
block of the actions/checkout step to disable credential persistence and reduce
the attack surface by minimizing token exposure.
- Around line 21-31: The `changes` job lacks explicit GITHUB_TOKEN permission
declarations, relying on default permissions which violates least privilege
security practices. Add an explicit `permissions` field to the `changes` job
configuration to lock down token access. Set the permissions to either read-only
access (if the job requires reading repository data) or empty permissions (if
the job requires no token access), depending on what the filter step actually
needs. Repeat this same fix for the `image-builds` job mentioned at line 359.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9f5eb2f8-7655-4e8c-8651-703829ede23a

📥 Commits

Reviewing files that changed from the base of the PR and between b38ff9a and 090bd16.

📒 Files selected for processing (1)

• .github/workflows/build-images.yaml

[github-actions]

Container Images

The following container images have been built for this PR:

Image	URI
jumpstarter-controller	quay.io/jumpstarter-dev/jumpstarter-controller:pr-833
jumpstarter-operator	quay.io/jumpstarter-dev/jumpstarter-operator:pr-833
jumpstarter-operator-bundle	quay.io/jumpstarter-dev/jumpstarter-operator-bundle:pr-833
jumpstarter	quay.io/jumpstarter-dev/jumpstarter:pr-833
jumpstarter-utils	quay.io/jumpstarter-dev/jumpstarter-utils:pr-833
jumpstarter-dev	quay.io/jumpstarter-dev/jumpstarter-dev:pr-833
jumpstarter-devspace	quay.io/jumpstarter-dev/jumpstarter-devspace:pr-833

Images expire after 7 days.

[raballew]

.go-version
.uv-version