From 02c92ff179ea37ca478a67fa3a753cb0a1965b90 Mon Sep 17 00:00:00 2001
From: Josh Thomas <josh@joshthomas.dev>
Date: Tue, 7 Oct 2025 21:24:36 -0500
Subject: [PATCH] optimize CI triggers for build/test/release workflows (#315)

---
 .github/workflows/build.yml   | 11 ++---------
 .github/workflows/release.yml | 10 ++--------
 .github/workflows/test.yml    | 10 +++++++++-
 .github/zizmor.yml            | 22 +++++++++++-----------
 4 files changed, 24 insertions(+), 29 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e1a7eb2..05ae25b 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,17 +1,10 @@
 name: build
 
 on:
-  pull_request:
-    branches:
-      - main
-    paths:
-      - .github/workflows/build.yml
-      - crates/**
-      - Cargo.lock
-      - Cargo.toml
   push:
     branches:
       - main
+      - release/*
     paths:
       - .github/workflows/build.yml
       - crates/**
@@ -31,7 +24,7 @@ on:
         type: string
 
 concurrency:
-  group: build-${{ github.head_ref }}
+  group: build-${{ github.ref }}
   cancel-in-progress: true
 
 permissions:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6170940..3ddd347 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,7 +6,7 @@ on:
   workflow_dispatch:
 
 concurrency:
-  group: release-${{ github.head_ref }}
+  group: release-${{ github.ref }}
   cancel-in-progress: true
 
 permissions:
@@ -22,16 +22,10 @@ jobs:
     with:
       version: ${{ startsWith(github.ref, 'refs/tags/') && github.ref_name || '' }}
 
-  test:
-    uses: ./.github/workflows/test.yml
-    if: ${{ startsWith(github.ref, 'refs/tags/') || github.event_name == 'workflow_dispatch' }}
-    with:
-      os: "macos-latest,ubuntu-latest,windows-latest"
-
   release:
     runs-on: ubuntu-latest
     if: ${{ startsWith(github.ref, 'refs/tags/') || github.event_name == 'workflow_dispatch' }}
-    needs: [build, test]
+    needs: [build]
     environment: release
     permissions:
       attestations: write
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 447829f..f85e167 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -39,7 +39,7 @@ on:
         type: string
 
 concurrency:
-  group: test-${{ github.head_ref }}
+  group: test-${{ github.ref }}
   cancel-in-progress: true
 
 env:
@@ -67,6 +67,14 @@ jobs:
           activate-environment: true
           enable-cache: true
 
+      - name: Determine OS targets
+        env:
+          HEAD_REF: ${{ github.head_ref }}
+        run: |
+          if [[ "$HEAD_REF" == release/* ]]; then
+            echo "OS=macos-latest,ubuntu-latest,windows-latest" >> $GITHUB_ENV
+          fi
+
       - id: set-matrix
         env:
           OS: ${{ inputs.os }}
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
index e0c0949..def7ab0 100644
--- a/.github/zizmor.yml
+++ b/.github/zizmor.yml
@@ -4,15 +4,15 @@ rules:
       # test workflow does not produce artifacts to poison
       - test.yml
       # all caching is disabled when a tag is pushed
-      - build.yml:96:9
+      - build.yml:87:9
+      - build.yml:97:9
       - build.yml:106:9
-      - build.yml:115:9
-      - build.yml:122:9
-      - build.yml:236:9
-      - build.yml:268:9
-      - build.yml:299:9
-      - build.yml:309:9
-      - build.yml:321:9
-      - build.yml:352:9
-      - build.yml:362:9
-      - build.yml:374:9
+      - build.yml:113:9
+      - build.yml:227:9
+      - build.yml:259:9
+      - build.yml:290:9
+      - build.yml:300:9
+      - build.yml:312:9
+      - build.yml:343:9
+      - build.yml:353:9
+      - build.yml:365:9