ci: implement phase 1 path-based workflow skipping

[geoHeil]

Summary

• add PR concurrency to the CI entry workflows
• add simple path-based change detection before calling the reusable CI and docs workflows
• gate the expensive checks jobs by changed paths while keeping pyproject.toml, uv.lock, and Dockerfile as CI-triggering paths

Part of #3327.

Testing

• Ruby YAML parse for .github/workflows/ci.yml, .github/workflows/ci-docs.yml, and .github/workflows/checks.yml
• git diff --check

Notes

• this intentionally uses simple path-based skipping only for phase 1
• no GitHub-hosted workflow run was executed locally

The action dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d is not allowed in docling-project/docling because all actions must be from a repository owned by docling-project, created by GitHub, or match one of the patterns: DavidAnson/markdownlint-cli2-action@v16, astral-sh/setup-uv@v5, astral-sh/setup-uv@v6, astral-sh/setup-uv@v7, codecov/codecov-action@*, codecov/codecov-action@v2, codecov/codecov-action@v5, demodrive-ai/llms-txt-action@ad720693843126e6a73910a667d0eba37c1dea4b, denoland/setup-deno@*, dependabot/*, docker/*, docker/setup-qemu-action@v3, dorny/test-reporter*, gradle/actions/*, gradle/actions/wrapper-validation@v5, jreleaser/release-action@*, madrapps/jacoco-report@v1.7.2, mikepenz/action-junit-report*, mikepenz/action-junit-report@v4, msys2/setup-msys2@v2, peter-evans/create-pull-request*, pypa/cibuildwheel@*, pypa/gh-action-pypi-publish@release/v1, redhat-actions/buildah-build@*, redhat-actions/push-to-registry@*, sigstore/gh-action-sigstore-python@v3.0.0...

we will have to modify the list of allowed CI actions

[github-actions]

✅ DCO Check Passed

Thanks @geoHeil, all your commits are properly signed off. 🎉

[mergify]

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/

• title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert)(?:\(.+\))?(!)?:

[dolfim-ibm]

The new action is now whitelisted, this can be tried out with a new commit+push.

[dolfim-ibm]

better keep the python versions in a variable/input, otherwise we have too many places to maintain.

[geoHeil]

Addressed in f5d2b9d: the PR workflow now defines DEFAULT_PYTHON_VERSIONS and FULL_PYTHON_VERSIONS once and passes them through changes job outputs instead of repeating the JSON matrix in the reusable workflow call.

[dolfim-ibm]

just checking my understanding: the checkout action above is cloning the base branch (main) so it is always using the deps in main, right?

[geoHeil]

Yes, that is the intended behavior. Addressed in f5d2b9d by documenting it inline: pull_request_target checks out the trusted base commit for dependency installation, then fetches the PR head separately as FETCH_HEAD for diff/overlay checks only.

[dolfim-ibm]

should we temporary make it a PR CI action? otherwise we cannot test it before merge.

[geoHeil]

sounds like a good idea.

but somehow my permissions are not there to test drive the CI change on the branch

[geoHeil]

could you either grant me other/more permissions or allow the CI change see also in the top level description what is not allowed right now)

[geoHeil]

ah - just saw it seems t obe whitelisted now. let me try again

[dolfim-ibm]

As a wrote, it is done already

#3332 (review)

[dolfim-ibm]

We might not need any filter here, we are anyway including almost all...

[geoHeil]

Addressed in 4d767f8: removed the trigger-level paths: filter from pr-fast-checks.yml. The workflow now runs for all PR target events, while .github/scripts/run_pr_fast_checks.py still performs its own changed-file targeting and exits quickly when there are no Python/notebook targets.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[geoHeil]

Temporary normal pull_request validation for the heavy CI/docs workflows completed successfully on this PR. I removed those normal pull_request triggers again so same-repo PR branches do not produce duplicate push + pull_request CI runs. The dedicated trusted pull_request_target fast-check workflow remains enabled for PR validation.