ci: optimise build pipeline — shared dev image build and skip tests on tag push (#167)

* ci: split dev image build into a shared job

Extract the Docker build step into a dedicated `build` job so `quality`
and `tests` no longer each build the image independently. Both jobs now
load from the shared `devbuild` GHA cache scope and declare `needs: build`.

* ci: skip quality+tests on tag push, verify prior CI run instead

When tagging a commit that already passed CI on main, there is no need
to run quality and tests again. Both jobs now skip for tag refs.

A new `verify-prior-run` job runs instead: it queries the GitHub API for
a prior successful CI run on the same SHA (excluding the current run) and
fails fast if none is found, preventing deployment of untested tags.

`build-deploy` now uses `always() && !cancelled() && !failure()` so it
handles the mix of skipped (quality/tests) and successful (verify-prior-run)
needed jobs correctly.

* ci: bump GitHub Actions to Node.js 24 compatible versions

* ci: add Dependabot config for GitHub Actions version updates

* ci: pin all GitHub Actions to commit SHAs

* ci: disable credential persistence on all checkout steps
This commit is contained in:
2026-07-03 12:18:29 +02:00
committed by GitHub
parent 815e7b17be
commit 806cff8c0f
2 changed files with 83 additions and 27 deletions
+4
View File
@@ -28,3 +28,7 @@ updates:
directory: "/"
schedule:
interval: "daily"
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"