From 1b9ed0cd223cd4ec25125e59e68c4c9ed48e7fad Mon Sep 17 00:00:00 2001
From: centra <p@centraworks.net>
Date: Wed, 24 Dec 2025 18:22:22 +0900
Subject: [PATCH] ci: optimize workflow with paths-filter and workspace-aware
 gates

---
 .github/workflows/nix.yml | 140 ++++++++++++++++++++++++--------------
 nix/ci/flake.nix          |   3 +
 2 files changed, 91 insertions(+), 52 deletions(-)

diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml
index c2c107e..65240be 100644
--- a/.github/workflows/nix.yml
+++ b/.github/workflows/nix.yml
@@ -2,69 +2,105 @@ name: Nix CI
 
 on:
   push:
+    branches: [ master ]
   pull_request:
+    branches: [ master ]
 
 jobs:
-  flake-check:
+  # Detect which workspaces have changed to save CI minutes
+  filter:
     runs-on: ubuntu-latest
+    outputs:
+      workspaces: ${{ steps.filter.outputs.changes }}
+      any_changed: ${{ steps.filter.outputs.workspaces_any_changed }}
+      global_changed: ${{ steps.filter.outputs.global }}
     steps:
       - uses: actions/checkout@v4
-      - uses: DeterminateSystems/nix-installer-action@v11
-      - uses: DeterminateSystems/magic-nix-cache-action@v8
-      - name: Nix flake check
-        run: nix flake check --accept-flake-config
-
-  build-servers:
-    runs-on: ubuntu-latest
-    needs: flake-check
-    steps:
-      - uses: actions/checkout@v4
-      - uses: DeterminateSystems/nix-installer-action@v11
-      - uses: DeterminateSystems/magic-nix-cache-action@v8
-      - name: Build server packages
-        run: |
-          nix build --accept-flake-config .#chainfire-server .#flaredb-server .#iam-server .#plasmavmc-server .#prismnet-server .#flashdns-server .#fiberlb-server .#lightningstor-server .#creditservice-server
-
-  integration-matrix:
-    runs-on: ubuntu-latest
-    needs: build-servers
-    env:
-      PLASMA_E2E: "1"
-      # SKIP_PLASMA defaults to 0; set repo/runner var to 1 only when qemu-img/KVM is unavailable.
-      SKIP_PLASMA: ${{ vars.SKIP_PLASMA || '0' }}
-      LOG_DIR: .cccc/work/integration-matrix/${{ github.run_id }}
-    steps:
-      - uses: actions/checkout@v4
-      - uses: DeterminateSystems/nix-installer-action@v11
-      - uses: DeterminateSystems/magic-nix-cache-action@v8
-      - name: Run integration matrix (Noop hypervisor gate)
-        run: |
-          nix develop -c ./scripts/integration-matrix.sh
-      - name: Upload integration-matrix logs
-        if: always()
-        uses: actions/upload-artifact@v4
+      - uses: dorny/paths-filter@v3
+        id: filter
         with:
-          name: integration-matrix-logs
-          path: .cccc/work/integration-matrix/
+          filters: |
+            global:
+              - 'flake.nix'
+              - 'flake.lock'
+              - 'nix/**'
+              - '.github/workflows/nix.yml'
+              - 'Cargo.toml'
+              - 'Cargo.lock'
+            chainfire: 'chainfire/**'
+            flaredb: 'flaredb/**'
+            iam: 'iam/**'
+            plasmavmc: 'plasmavmc/**'
+            prismnet: 'prismnet/**'
+            flashdns: 'flashdns/**'
+            fiberlb: 'fiberlb/**'
+            lightningstor: 'lightningstor/**'
+            nightlight: 'nightlight/**'
+            creditservice: 'creditservice/**'
+            k8shost: 'k8shost/**'
+            apigateway: 'apigateway/**'
+            deployer: 'deployer/**'
 
-  integration-matrix-kvm:
-    if: ${{ vars.NESTED_KVM == '1' }}
+  # Run CI gates for changed workspaces
+  # Uses the provider-agnostic 'photoncloud-gate' defined in nix/ci/flake.nix
+  gate:
+    needs: filter
+    if: ${{ needs.filter.outputs.any_changed == 'true' || needs.filter.outputs.global_changed == 'true' }}
     runs-on: ubuntu-latest
-    needs: integration-matrix
-    env:
-      PLASMA_E2E: "1"
-      SKIP_PLASMA: "0"
-      LOG_DIR: .cccc/work/integration-matrix-kvm/${{ github.run_id }}
+    strategy:
+      fail-fast: false
+      matrix:
+        # If global files changed, run all. Otherwise run only changed ones.
+        workspace: ${{ fromJSON(needs.filter.outputs.global_changed == 'true' && '["chainfire", "flaredb", "iam", "plasmavmc", "prismnet", "flashdns", "fiberlb", "lightningstor", "nightlight", "creditservice", "k8shost", "apigateway", "deployer"]' || needs.filter.outputs.workspaces) }}
+    name: gate (${{ matrix.workspace }})
     steps:
       - uses: actions/checkout@v4
       - uses: DeterminateSystems/nix-installer-action@v11
       - uses: DeterminateSystems/magic-nix-cache-action@v8
-      - name: Run integration matrix (KVM lane)
+
+      - name: Run PhotonCloud Gate
         run: |
-          nix develop -c ./scripts/integration-matrix.sh
-      - name: Upload integration-matrix-kvm logs
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: integration-matrix-kvm-logs
-          path: .cccc/work/integration-matrix-kvm/
+          nix run .#gate-ci -- --workspace ${{ matrix.workspace }} --tier 0 --no-logs
+
+  # Build server packages (tier 1+)
+  build:
+    needs: [filter, gate]
+    if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        workspace: ${{ fromJSON(needs.filter.outputs.global_changed == 'true' && '["chainfire", "flaredb", "iam", "plasmavmc", "prismnet", "flashdns", "fiberlb", "lightningstor", "nightlight", "creditservice", "k8shost", "apigateway", "deployer"]' || needs.filter.outputs.workspaces) }}
+    name: build (${{ matrix.workspace }})
+    steps:
+      - uses: actions/checkout@v4
+      - uses: DeterminateSystems/nix-installer-action@v11
+      - uses: DeterminateSystems/magic-nix-cache-action@v8
+
+      - name: Build server
+        run: |
+          # Only build if the workspace has a corresponding package in flake.nix
+          # We check if it exists before building to avoid failure on non-package workspaces
+          if nix flake show --json | jq -e ".packages.\"x86_64-linux\".\"${{ matrix.workspace }}-server\"" > /dev/null; then
+            nix build .#${{ matrix.workspace }}-server --accept-flake-config
+          else
+            echo "No server package found for ${{ matrix.workspace }}, skipping build."
+          fi
+
+  # Summary job for PR status checks
+  ci-status:
+    needs: [filter, gate]
+    if: always()
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check CI Status
+        run: |
+          if [[ "${{ needs.gate.result }}" == "failure" ]]; then
+            exit 1
+          fi
+          if [[ "${{ needs.filter.outputs.any_changed }}" == "true" || "${{ needs.filter.outputs.global_changed }}" == "true" ]]; then
+            if [[ "${{ needs.gate.result }}" == "skipped" ]]; then
+              echo "Gate was skipped despite changes. This is unexpected."
+              exit 1
+            fi
+          fi
+          echo "CI passed or was correctly skipped."
diff --git a/nix/ci/flake.nix b/nix/ci/flake.nix
index 72c0280..5d8ff26 100644
--- a/nix/ci/flake.nix
+++ b/nix/ci/flake.nix
@@ -220,6 +220,9 @@
           drv = gate;
         };
 
+        # CI-optimized gate (alias)
+        packages.gate-ci = gate;
+
         # Checks are minimal and mirror tier0 (provider-agnostic).
         checks.gate-tier0 = pkgs.runCommand "photoncloud-gate-tier0" { } ''
           mkdir -p $out