ci: skip native builds on no-rust PRs; shrink matrix to linux x64 on PR

[27Bslash6]

Summary

build-native.yml ran the full 5-platform matrix on every PR push: linux x64 (self-hosted) + linux aarch64 (ubuntu-latest) + macOS x86 + macOS arm + Windows. macOS runners are ~10× ubuntu cost, Windows ~2×. For a typo fix to a markdown file this was firing five platform builds. Two cheap levers close most of the cost:

1. Path filter on pull_request — the workflow no longer triggers at all for PRs that don't touch the native crate. Only PRs changing packages/cachekit-core-ts/**, pnpm-lock.yaml, or this workflow itself will spin up runners.
2. Dynamic matrix — a new matrix job resolves the build matrix at run-time. On PRs it shrinks to just x86_64-unknown-linux-gnu (the self-hosted runner — already paid for, cheap, catches the vast majority of compile errors). On push: main and release tag pushes the full 5-target matrix still runs — that's the gate that actually feeds publication, so coverage where it matters is preserved.

Cost model after this PR

Trigger	Targets built	Cost
PR with no Rust change	nothing	$0
PR touching cachekit-core-ts/	1× linux x64 (self-hosted)	minimal
push: main	full 5-target matrix	unchanged from today
Tag cachekit-core-ts-v*	full 5-target matrix + publish	unchanged from today

Why this is safe

• test job depends on build and downloads the bindings-x86_64-unknown-linux-gnu artifact specifically — that artifact is always produced (it's in both the PR matrix and the full matrix), so the test gate is unaffected.
• publish job only fires on refs/tags/cachekit-core-ts-v*, which always pushes (not PRs), so the full matrix runs before publish. No risk of shipping platform packages that weren't built.
• Cross-platform regressions still get caught on the post-merge push: main run — and if one slips through, it surfaces before any release tag, not in a customer's pnpm install.

Test plan

• actionlint clean (run locally via prek)
• This PR itself does NOT touch cachekit-core-ts/** → build-native.yml should skip entirely on this PR. (If you see it run, the path filter regressed.)
• Verify next Rust-touching PR runs only the linux x64 leg
• Verify next push: main runs all 5 platforms

Out of scope

• The npm OIDC trusted-publishing migration discussed earlier (separate chore/release-hardening PR)
• The fork-PR runs-on strategy for ci.yml's self-hosted runners (separate, larger change)

Summary by CodeRabbit

• Chores
  • Optimized the native build workflow to reduce unnecessary runs by only triggering when relevant files change. Build targets are now dynamically computed based on the event type—pull requests use a lean configuration while production releases build all targets.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b0a098d1-9ecc-4773-a777-41fc0005b99f

📥 Commits

Reviewing files that changed from the base of the PR and between ce50e84 and e722048.

📒 Files selected for processing (1)

• .github/workflows/build-native.yml

---

📝 Walkthrough

Walkthrough

The Build Native GitHub Actions workflow is optimized to reduce unnecessary runs and scale the build matrix dynamically. Pull requests now trigger only when native crate paths, the workflow file, or pnpm-lock.yaml change. The static cross-platform matrix is replaced by conditional logic that builds fewer targets on PRs while maintaining full coverage for main and tag pushes.

Changes

Build Native Workflow Optimization

Layer / File(s)	Summary
Pull request path filtering .github/workflows/build-native.yml	Adds pull_request.paths filters to skip workflow runs unless changes affect the native crate directory, the workflow itself, or the lock file.
Dynamic build matrix generation .github/workflows/build-native.yml	Introduces "Resolve build matrix" step that generates conditional JSON matrix output based on github.event_name: PRs build only x86_64-unknown-linux-gnu on cachekit-lean runner, while main/tag events build full Linux/macOS/Windows target set.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A rabbit hops through workflows bright,
Trimming builds with path-filter might,
PR checks lean and fast they run,
Main branch builds—the full monofun!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the two main objectives: skipping native builds on PRs without Rust changes and reducing the build matrix to Linux x64 for PRs.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}