Skip to main content
HashnodeMergeGuard BlogMergeGuard Blog

Command Palette

Search for a command to run...

Path-aware Required Checks on GitHub: Simpler Workflows, Fewer Wasted CI Runs

Updated
8 min read
M
Marcus Vinicius Tavares
Sharing thoughts about IA, Developer Experience and Software Design

Path-aware Required Checks on GitHub: Simpler Workflows, Fewer Wasted CI Runs

GitHub required checks are static. Your pull requests are not.

A pull request changes only docs/, frontend copy, or one isolated service, and the repository still runs backend builds, integration suites, deployment validation, security scans, and other workflows that have nothing to do with the change.

Why?

Usually not because those workflows are operationally necessary.

Usually because branch protection expects a fixed set of checks, regardless of what the pull request actually changed.

That creates a familiar kind of waste:

  • unnecessary CI spend
  • slower feedback loops
  • noisy pull requests
  • awkward branch protection rules
  • workflow logic that is harder to explain than it should be

For many teams, the problem is not that GitHub Actions cannot be conditional.

The problem is that merge requirements are still mostly static.

The real mismatch: static branch protection vs. dynamic pull requests

GitHub branch protection works well when every pull request should satisfy the same checks.

But many repositories do not work that way.

The checks that should matter often depend on pull request context:

  • changed paths
  • ownership
  • risk level
  • labels or PR type
  • semver impact
  • whether one domain or several domains were touched

A docs-only change is not the same as an infra change. A frontend-only update is not the same as a pull request that modifies api/, db/, and auth/ together.

Yet GitHub required checks are usually configured as a fixed list.

That forces teams into a bad tradeoff:

  • strict but wasteful enforcement
  • or flexible but weaker guarantees

Neither option is especially satisfying.

What teams do today: overrun CI or build workarounds

Most teams compensate in one of three ways.

Pattern 1: require everything

The repository marks many workflows as required and lives with the consequences:

  • long CI times
  • unnecessary builds
  • more queueing in busy repos
  • extra red or yellow noise in PRs
  • more expensive low-risk changes

Protection stays strict, but often at a cost that feels increasingly irrational.

Pattern 2: require less than the team really wants

Teams avoid requiring some checks because those checks do not always run cleanly under path-based execution.

The result is usually some combination of:

  • weaker enforcement
  • reviewer judgment filling the gap
  • uncertainty about which checks were truly expected

Friction goes down, but merge safety becomes less explicit.

Pattern 3: simulate policy inside workflows

This is the most common workaround in teams already using path filtering or changed-files actions.

The workflow still starts on every pull request because branch protection requires it. Then the jobs inspect changed files, decide the change is irrelevant, and exit quickly.

It is a rational workaround, and it helps a little.

But it still means:

  • the workflow started anyway
  • policy logic now lives inside CI YAML
  • the required-check model is still awkward
  • the design gets harder to audit and maintain

These workarounds are not evidence of bad engineering. They are evidence that the native model is missing a policy layer.

Why path filtering alone does not solve required checks

This is the key distinction:

  1. Should this workflow run?
  2. Should this check be required for merge?

Path filtering answers the first question.

Branch protection still needs an answer to the second one.

So path filtering is useful, but incomplete.

If a workflow does not run because the pull request is irrelevant to that workflow, that can be exactly the right execution behavior. But GitHub may still expect the corresponding required check to appear.

That mismatch is the core problem.

Conditional execution is not the same as conditional merge requirements.

Here is a simple example of scoped workflow execution:

name: backend-tests

on:
  pull_request:
    paths:
      - "api/**"
      - "db/**"
      - "auth/**"

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: pnpm test:backend

This is a good workflow design. A backend test workflow should not run for a docs-only PR.

But this snippet still does not tell branch protection whether backend-tests should be required before merge when only docs/ changed.

That decision belongs to policy, not to the workflow itself.

The better model: separate workflow execution from merge policy

The cleanest model is to let CI answer execution questions and let policy answer merge questions.

Let workflows report:

  • what ran
  • what passed
  • what failed

Let policy decide:

  • what needed to run for this PR
  • which approvals were required
  • what is actually required for merge

This changes the architecture in an important way.

You stop encoding merge semantics inside every workflow.

Instead, you let workflows stay narrow and focused on execution while a policy layer evaluates pull request context and determines what matters for this change.

That makes both systems simpler:

  • CI becomes easier to scope and maintain
  • branch protection becomes easier to reason about

A concrete example: docs-only PR vs. backend change

Consider two pull requests in the same repository.

The first changes only:

  • docs/
  • README.md

The second changes:

  • api/
  • db/
  • auth/

It is completely reasonable for the first pull request to require only lightweight checks such as docs linting or link validation.

It is also completely reasonable for the second pull request to require:

  • backend tests
  • integration checks
  • stricter approvals
  • possibly security or migration-related validation

Same repository. Same protected branch. Different pull request.

Different required checks should be normal.

But native branch protection struggles to express that cleanly.

Why one required MergeGuard status is simpler

This is where a policy layer becomes useful.

MergeGuard evaluates pull request context and determines:

  • which checks are required
  • which approvals are required
  • whether the pull request is merge-ready

GitHub branch protection then needs only one required MergeGuard status.

This is much simpler than forcing every possible workflow to appear on every pull request.

Instead of requiring dozens of individual checks, you require one deterministic decision about what this pull request actually needs.

That has a few practical benefits:

  • less branch protection churn
  • fewer stale required-check entries
  • cleaner relationship between workflows and policy
  • better explainability at the PR level

Use GitHub Actions for execution.

Use MergeGuard for decision logic.

That division of responsibility is easier to understand and easier to scale.

Cost reduction is real, but not the whole story

This pattern can reduce CI cost in a meaningful way:

  • fewer unnecessary workflow starts
  • fewer heavy test suites on low-risk changes
  • less queue pressure in busy repositories
  • less wasted compute on irrelevant work

But the bigger benefit is architectural.

You get:

  • faster feedback loops
  • cleaner workflow design
  • simpler branch protection
  • less policy logic buried in YAML
  • less reviewer confusion about why a pull request is blocked

This is not just CI optimization.

It is better merge policy architecture.

Why not just keep using path filters and changed-files?

Because those tools solve a narrower problem.

They help decide what should run.

They do not solve:

  • conditional required checks
  • conditional approvals
  • a unified merge decision
  • pull-request-level explainability about what is missing

That does not make them bad tools. It just means they are execution tools, not merge policy.

A practical implementation pattern

For teams trying to simplify this without weakening controls, the operating pattern is straightforward:

  • workflows stay scoped to the code they own
  • path filtering controls whether those workflows run
  • MergeGuard evaluates pull request context
  • MergeGuard decides which checks and approvals matter for merge
  • GitHub branch protection requires the MergeGuard status

The result is easier to understand than the usual alternative:

  • relevant CI still runs
  • irrelevant CI stays out of the way
  • branch protection remains strict
  • merge logic becomes understandable

Closing

The real problem is not that GitHub Actions cannot be conditional.

The problem is that branch protection does not naturally express conditional merge requirements.

So teams compensate by:

  • running too much CI
  • weakening protection
  • or encoding policy in fragile workflow hacks

There is a better model.

Execution stays in workflows.

Policy stays in a deterministic decision layer.

MergeGuard becomes the single required signal that tells GitHub whether this pull request has met the checks and approvals that actually matter.

If your team wants strict branch protection without paying for irrelevant CI on every PR, you need conditional merge policy, not just conditional workflows.

MergeGuard applies this model directly in GitHub pull request workflows. If that is the layer your team is missing, learn more at mergeguard.dev.

#github#platform-engineering#devops#ci-cd
3 views

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

M

MergeGuard Blog

3 posts