cicd: check if sensitive files are modified before cibuild.

yq33victor · yq33victor · commit c383cb94d1ec · 2025-11-08T09:41:08.000+08:00
Signed-off-by: Tao Peng &lt;pengtao.156@jd.com&gt;
diff --git a/.github/workflows/build_x86_64_mlu.yaml b/.github/workflows/build_x86_64_mlu.yaml
@@ -18,16 +18,23 @@ on:
     branches: [main]
     types: [opened, synchronize, reopened]
     paths-ignore:
-      - '.github/**'
-      - 'cibuild/**'
       - 'cmake/**'
       - 'docs/**'
       - 'third_party/**'
       - 'tools/**'
       - '*.md'
       - '*.txt'
       - '*.yml'
-
+  pull_request_review:
+    types: [submitted]
+    paths-ignore:
+      - 'cmake/**'
+      - 'docs/**'
+      - 'third_party/**'
+      - 'tools/**'
+      - '*.md'
+      - '*.txt'
+      - '*.yml'
 env:
   JOBNAME: xllm-x86_64-mlu-cibuild-${{ github.run_id }}
 
@@ -36,8 +43,73 @@ concurrency:
   cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
 
 jobs:
+  # need to review code first when sensitive files are modified.
+  check-sensitive:
+    runs-on: [self-hosted]
+    outputs:
+      requires_approval: ${{ steps.check_sensitive.outputs.requires_approval }}
+      do_build: ${{ steps.decide.outputs.do_build }}
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Ensure we can compare commits
+
+      - name: Install jq
+        run: yum install -y jq
+
+      - name: Check if sensitive files were changed
+        id: check_sensitive
+        run: |
+          sensitive_files=(
+            ".github/**.yaml"
+            "cibuild/**.sh"
+            "setup.py"
+          )
+          changed_files=$(git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }})
+          requires_approval="false"
+          while IFS= read -r changed_file; do
+            [[ -z "$changed_file" ]] && continue
+            for pattern in "${sensitive_files[@]}"; do
+              if [[ "$changed_file" == $pattern ]]; then
+                requires_approval="true"
+                break 2
+              fi
+          done
+          done < <(git diff --name-only "${{ github.event.pull_request.base.sha }}" "${{ github.sha }}")
+          echo "requires_approval=$requires_approval" >> $GITHUB_OUTPUT
+
+      - name: Decide whether to check build
+        id: decide
+        run: |
+          event="${{ github.event_name }}"
+          if [[ "$event" == "workflow_dispatch" || "$event" == "push" ]]; then
+            echo "do_build=true" >> $GITHUB_OUTPUT
+          elif [[ "$event" == "pull_request" ]]; then
+            if  [ "${{ steps.check_sensitive.outputs.requires_approval }}" == "true" ]; then
+              echo "do_build=false" >> $GITHUB_OUTPUT
+            else
+              echo "do_build=true" >> $GITHUB_OUTPUT
+            fi
+          elif [[ "$event" == "pull_request_review" ]]; then
+            if  [ "${{ steps.check_sensitive.outputs.requires_approval }}" == "true" ]; then
+              if [[ "${{ github.event.review.state }}" == "approved" ]]; then
+                echo "do_build=true" >> $GITHUB_OUTPUT
+              else
+                echo "do_build=false" >> $GITHUB_OUTPUT
+              fi
+            else
+              echo "do_build=false" >> $GITHUB_OUTPUT
+            fi
+          else
+            echo "do_build=false" >> $GITHUB_OUTPUT
+          fi
+
   build:
-    if: ${{ github.event_name == 'workflow_dispatch' || github.event_name == 'push' || github.event_name == 'pull_request' }}
+    needs: check-sensitive
+    if: >
+      (github.event_name == 'workflow_dispatch' || github.event_name == 'push') ||
+      needs.check-sensitive.outputs.do_build == 'true'
     runs-on: [self-hosted]
     steps:
     - name: Checkout Code
diff --git a/.github/workflows/build_x86_64_npu.yaml b/.github/workflows/build_x86_64_npu.yaml
@@ -18,8 +18,16 @@ on:
     branches: [main]
     types: [opened, synchronize, reopened]
     paths-ignore:
-      - '.github/**'
-      - 'cibuild/**'
+      - 'cmake/**'
+      - 'docs/**'
+      - 'third_party/**'
+      - 'tools/**'
+      - '*.md'
+      - '*.txt'
+      - '*.yml'
+  pull_request_review:
+    types: [submitted]
+    paths-ignore:
       - 'cmake/**'
       - 'docs/**'
       - 'third_party/**'
@@ -36,8 +44,73 @@ concurrency:
   cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
 
 jobs:
+  # need to review code first when sensitive files are modified.
+  check-sensitive:
+    runs-on: [self-hosted]
+    outputs:
+      requires_approval: ${{ steps.check_sensitive.outputs.requires_approval }}
+      do_build: ${{ steps.decide.outputs.do_build }}
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Ensure we can compare commits
+
+      - name: Install jq
+        run: yum install -y jq
+
+      - name: Check if sensitive files were changed
+        id: check_sensitive
+        run: |
+          sensitive_files=(
+            ".github/**.yaml"
+            "cibuild/**.sh"
+            "setup.py"
+          )
+          changed_files=$(git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }})
+          requires_approval="false"
+          while IFS= read -r changed_file; do
+            [[ -z "$changed_file" ]] && continue
+            for pattern in "${sensitive_files[@]}"; do
+              if [[ "$changed_file" == $pattern ]]; then
+                requires_approval="true"
+                break 2
+              fi
+          done
+          done < <(git diff --name-only "${{ github.event.pull_request.base.sha }}" "${{ github.sha }}")
+          echo "requires_approval=$requires_approval" >> $GITHUB_OUTPUT
+
+      - name: Decide whether to check build
+        id: decide
+        run: |
+          event="${{ github.event_name }}"
+          if [[ "$event" == "workflow_dispatch" || "$event" == "push" ]]; then
+            echo "do_build=true" >> $GITHUB_OUTPUT
+          elif [[ "$event" == "pull_request" ]]; then
+            if  [ "${{ steps.check_sensitive.outputs.requires_approval }}" == "true" ]; then
+              echo "do_build=false" >> $GITHUB_OUTPUT
+            else
+              echo "do_build=true" >> $GITHUB_OUTPUT
+            fi
+          elif [[ "$event" == "pull_request_review" ]]; then
+            if  [ "${{ steps.check_sensitive.outputs.requires_approval }}" == "true" ]; then
+              if [[ "${{ github.event.review.state }}" == "approved" ]]; then
+                echo "do_build=true" >> $GITHUB_OUTPUT
+              else
+                echo "do_build=false" >> $GITHUB_OUTPUT
+              fi
+            else
+              echo "do_build=false" >> $GITHUB_OUTPUT
+            fi
+          else
+            echo "do_build=false" >> $GITHUB_OUTPUT
+          fi
+
   build:
-    if: ${{ github.event_name == 'workflow_dispatch' || github.event_name == 'push' || github.event_name == 'pull_request' }}
+    needs: check-sensitive
+    if: >
+      (github.event_name == 'workflow_dispatch' || github.event_name == 'push') ||
+      needs.check-sensitive.outputs.do_build == 'true'
     runs-on: [self-hosted]
     steps:
     - name: Checkout Code
