From 2557a192c2d7acb3f6f72e9f4a68ed6192538df9 Mon Sep 17 00:00:00 2001
From: Steve Degosserie <723552+stiiifff@users.noreply.github.com>
Date: Fri, 9 Jan 2026 16:29:59 +0100
Subject: [PATCH] ci: Disable redundant CI on main branch merges (#386)

## Summary

- Split CI workflow to stop re-running validation when PRs are merged to
main
- Create dedicated `release.yml` workflow for Docker Hub releases on
main branch
- Keep full CI validation for PRs and `perm-*` branches

## Motivation

Since the repository is configured to:
1. Require PRs to be up-to-date with main before merging
2. Require all CI checks to pass

Re-running the full CI suite (~12 jobs) on main after merge is redundant
and wastes CI runner time that could be used for other tasks.

## Changes

| Workflow | Before | After |
|----------|--------|-------|
| `CI.yml` | Triggers on push to `main`, `perm-*`, and PRs to `main` |
Triggers on push to `perm-*` and PRs to `main` only |
| `release.yml` | N/A (new) | Triggers on push to `main`, runs only
`docker-build-release` |

## Impact

| Event | Before | After | Savings |
|-------|--------|-------|---------|
| PR to main | 13 jobs | 12 jobs | 1 job |
| Merge to main | 13 jobs | 1 job | 12 jobs |
| Push to perm-* | 13 jobs | 12 jobs | 1 job |

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
---
 .github/workflows/CI.yml      | 11 +++--------
 .github/workflows/release.yml | 31 +++++++++++++++++++++++++++++++
 2 files changed, 34 insertions(+), 8 deletions(-)
 create mode 100644 .github/workflows/release.yml

diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
index 615b2af0..d8d2ba06 100644
--- a/.github/workflows/CI.yml
+++ b/.github/workflows/CI.yml
@@ -1,4 +1,7 @@
 #! Main CI Specification for DataHaven Repository
+#!
+#! This workflow runs validation checks on pull requests.
+#! For main branch releases, see release.yml
 
 name: CI
 
@@ -6,7 +9,6 @@ on:
   workflow_dispatch:
   push:
     branches:
-      - main
       - perm-*
   pull_request:
     branches: [main]
@@ -60,13 +62,6 @@ jobs:
     with:
       binary-hash: ${{ needs.build-operator.outputs.binary-hash }}
 
-  docker-build-release:
-    if: github.ref == 'refs/heads/main'
-    uses: ./.github/workflows/task-docker-release.yml
-    secrets:
-      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
-      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
-
   moonwall-tests:
     needs: [build-operator]
     uses: ./.github/workflows/task-moonwall-tests.yml
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 00000000..854cdeed
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,31 @@
+#! Release workflow for DataHaven Repository
+#!
+#! This workflow runs when code is merged to main, publishing Docker images
+#! to Docker Hub. Validation checks are handled by CI.yml on pull requests.
+#!
+#! Since PRs require:
+#!   1. Branch to be up-to-date with main before merging
+#!   2. All CI checks to pass
+#! Re-running validation on main would be redundant.
+
+name: Release
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+concurrency:
+  group: release-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  docker-build-release:
+    uses: ./.github/workflows/task-docker-release.yml
+    secrets:
+      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}