🤖 ci: document fetch-depth for paths-filter changes

[ThomasK33]

Summary

Documented why the changes job uses full history checkout in CI.

Background

dorny/paths-filter compares github.event.before to the current ref on push events. A shallow checkout can miss the before commit and force an extra fetch that may fail when credentials are not persisted.

Implementation

• Added an inline comment next to fetch-depth: 0 in .github/workflows/ci.yaml to explain the behavior and rationale.

Validation

• go run github.com/rhysd/actionlint/cmd/actionlint@v1.7.10

---

📋 Implementation Plan

Plan: Fix “Detect changed paths” failing on main

Context / Why

The GitHub Actions job “Detect changed paths” (uses dorny/paths-filter) is failing on pushes to main with:

• “Changes will be detected between <before_sha> and main”
• “Ensuring <before_sha> is fetched from origin”
• git exits with code 128

On push events, paths-filter diffs github.event.before → github.ref/main. With a shallow checkout, the before commit is often missing locally, so the action tries to fetch it. Because the workflow uses actions/checkout with persist-credentials: false, that follow-up fetch can fail (common in private repos / restricted environments), producing the observed error.

Evidence (what we verified)

• User-provided CI log excerpt shows paths-filter attempting to fetch the before SHA and failing with git exit code 128.
• .github/workflows/ci.yaml:
  • changes job checks out code with persist-credentials: false and no fetch-depth, so fetch-depth defaults to 1 (shallow). (Lines 15–30)
  • changes job runs dorny/paths-filter for non-merge_group events. (Lines 41–64)

Implementation details (edits to make)

1) Fetch enough history in the changes job

Edit .github/workflows/ci.yaml in the jobs.changes.steps checkout step to fetch full history (recommended) so paths-filter never needs to perform an extra git fetch.

Change:

jobs:
  changes:
    steps:
      - name: Checkout
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
        with:
          fetch-depth: 0          # ensure github.event.before commit exists locally
          persist-credentials: false

Notes:

• fetch-depth: 0 is the most robust fix (handles multi-commit pushes, merge commits, and non-linear history).
• A smaller fetch-depth: 2 might work for typical “single new commit” pushes, but is brittle; prefer 0 unless checkout performance is a proven issue.

Validation / Rollout

1. Run workflow lint locally:
   • go run github.com/rhysd/actionlint/cmd/actionlint@v1.7.10
2. Push the workflow change and confirm the next push-to-main CI run completes the Detect changed paths job.
3. If failures persist, capture the full git stderr from the action logs; the next fallback is to keep shallow checkout but allow authenticated fetch (remove persist-credentials: false for just the changes job or explicitly pass auth), but this should not be necessary with fetch-depth: 0.

---

Generated with mux • Model: openai:gpt-5.3-codex • Thinking: xhigh • Cost: $0.20

[ThomasK33]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Already looking forward to the next diff.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[ThomasK33]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. 👍

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".