From 36fb2dacebdb5d32a92c7cd723844e836a0d9b2b Mon Sep 17 00:00:00 2001
From: Caleb Gross <caleb@grossventures.com>
Date: Fri, 20 Mar 2026 11:16:13 -0400
Subject: [PATCH] ci: only run CI on release-please PRs and release tags

Regular feature and dependabot PRs now skip CI entirely, relying on
local pre-commit hooks (go fmt, go vet, golangci-lint) for quality.
CI runs as a pre-release gate on release-please PRs and as a final
check on v* tag pushes. workflow_dispatch preserved as an escape hatch.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 38 +++++++++++++++++++++++++++++++-------
 1 file changed, 31 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e088353..fb97515 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,14 +1,36 @@
 name: CI
 
+# Runs on release-please PRs (pre-release gate) and release tags (final check).
+# Regular PRs rely on local pre-commit hooks (go fmt, go vet, golangci-lint).
 on:
   push:
-    branches: [main]
+    tags: ["v*"]
   pull_request:
     branches: [main]
   workflow_dispatch:
 
 jobs:
+  # Skip CI for non-release PRs (dependabot, feature branches, etc.)
+  # Release-please branches match: release-please--branches--main
+  should-run:
+    runs-on: ubuntu-latest
+    outputs:
+      run: ${{ steps.check.outputs.run }}
+    steps:
+      - name: Check if CI should run
+        id: check
+        run: |
+          if [ "${{ github.event_name }}" != "pull_request" ]; then
+            echo "run=true" >> "$GITHUB_OUTPUT"
+          elif [[ "${{ github.head_ref }}" == release-please--* ]]; then
+            echo "run=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "run=false" >> "$GITHUB_OUTPUT"
+          fi
+
   test-matrix:
+    needs: [should-run]
+    if: needs.should-run.outputs.run == 'true'
     strategy:
       matrix:
         os: [ubuntu-latest, windows-latest]
@@ -28,10 +50,9 @@ jobs:
         shell: bash
         run: go test -race -count=1 ./...
 
-  # Gate job — preserves the "test" check name for branch protection rules.
   test:
-    needs: [test-matrix]
-    if: always()
+    needs: [should-run, test-matrix]
+    if: always() && needs.should-run.outputs.run == 'true'
     runs-on: ubuntu-latest
     steps:
       - name: Check matrix results
@@ -42,6 +63,8 @@ jobs:
           fi
 
   lint:
+    needs: [should-run]
+    if: needs.should-run.outputs.run == 'true'
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
@@ -56,6 +79,8 @@ jobs:
           version: v2.11.3
 
   build-matrix:
+    needs: [should-run]
+    if: needs.should-run.outputs.run == 'true'
     strategy:
       matrix:
         os: [ubuntu-latest, windows-latest]
@@ -71,10 +96,9 @@ jobs:
         shell: bash
         run: go build -ldflags "-s -w" -o bin/mnemonic ./cmd/mnemonic
 
-  # Gate job — preserves the "build" check name for branch protection rules.
   build:
-    needs: [build-matrix]
-    if: always()
+    needs: [should-run, build-matrix]
+    if: always() && needs.should-run.outputs.run == 'true'
     runs-on: ubuntu-latest
     steps:
       - name: Check matrix results