fix(ci): gate e2e/release-smoke per-job so docs-only PRs are mergeable

The `kamaji-datastore`, `smoke (helm)` and `smoke (manifest)` contexts are
required by branch protection, but their workflows filtered themselves out at
the `on:` trigger via path filters. A workflow skipped at the trigger never
reports its check, so the required contexts stayed in "Expected" and blocked
any PR that touched none of the filtered paths (docs-only PRs in particular).
enforce_admins is on, so there was no admin bypass either.

Move the path filtering off the trigger and into a cheap `changes` job
(dorny/paths-filter, no checkout): the workflows now always start, and the
expensive jobs are skipped via a job-level `if:` when nothing relevant
changed. A job skipped via `if:` still reports its check as "skipped", which
branch protection treats as passing — so docs-only PRs are mergeable while the
~30-45 min e2e and the kind smokes still skip (zero compute) on them. The
smoke matrix is kept intact so the required context names are unchanged.

Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>

Author: lllamnyp

.github/workflows/e2e.yml

@@ -6,14 +6,13 @@ on:
   # a branch PRs never target (this said `master`, which does not exist) means
   # the workflow never runs at all.
   #
-  # paths-ignore: a kind+cert-manager+Kamaji provisioning run costs ~30-45
-  # minutes; skip it for PRs that touch nothing the suite exercises
-  # (docs-only changes). Everything else — Go code, manifests, the harness,
-  # the workflows themselves — still gates.
+  # No paths filter on the trigger either: `kamaji-datastore` is a *required*
+  # status check, and a workflow skipped at the trigger never reports its
+  # check, leaving the required context stuck in "Expected" — which blocks the
+  # PR forever (e.g. docs-only PRs). Path filtering instead lives in the
+  # `changes` job below; a job skipped via `if:` still reports its check as
+  # "skipped", which branch protection treats as passing.
   pull_request:
-    paths-ignore:
-      - '**.md'
-      - 'docs/**'
   push:
     tags: [ "v*" ]
   workflow_dispatch:
@@ -23,7 +22,34 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
+  changes:
+    # Cheap (~seconds, no checkout — dorny uses the PR API) gate that decides
+    # whether the expensive job below needs to run. PR-only: tag pushes and
+    # manual dispatch always run the suite unconditionally (see the `if` on
+    # kamaji-datastore).
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    outputs:
+      code: ${{ steps.filter.outputs.code }}
+    steps:
+      - uses: dorny/paths-filter@v3
+        id: filter
+        with:
+          # `code` is true when the PR touches anything the e2e suite
+          # exercises. Only-negated patterns get an implicit `**`, so this
+          # reads as "all files except Markdown and docs/**" — i.e. docs-only
+          # PRs leave `code` false and the ~30-45 min run below is skipped.
+          filters: |
+            code:
+              - '!**/*.md'
+              - '!docs/**'
+
   kamaji-datastore:
+    needs: changes
+    # Always run for tag pushes / manual dispatch; for PRs, run only when
+    # non-docs files changed. When skipped on a docs-only PR the check still
+    # reports (as "skipped" = passing), so the PR is not blocked.
+    if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.code == 'true' }}
     runs-on: ubuntu-latest
     timeout-minutes: 45
     steps:

.github/workflows/release-smoke.yml

@@ -10,25 +10,52 @@ name: Release install smoke
 # introduces them, not on the first real tag. The image is loaded into kind,
 # never pushed — no registry credentials.
 on:
+  # No paths filter on the trigger: `smoke (helm)` and `smoke (manifest)` are
+  # *required* status checks, and a workflow skipped at the trigger never
+  # reports them, leaving the required contexts stuck in "Expected" and
+  # blocking the PR forever (e.g. docs-only PRs). Path filtering lives in the
+  # `changes` job below instead; the matrix job is skipped via `if:` when
+  # nothing release-relevant changed, and a skipped check counts as passing.
   pull_request:
-    paths:
-      - '.github/workflows/release-smoke.yml'
-      - '.github/workflows/docker-publish.yml'
-      - '.github/workflows/release-assets.yml'
-      - '.github/workflows/helm-publish.yml'
-      - 'hack/release-smoke.sh'
-      - 'charts/**'
-      - 'Makefile'
-      - 'Dockerfile'
-      - 'api/**'
   workflow_dispatch:
 
 concurrency:
   group: release-smoke-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
+  changes:
+    # Cheap (~seconds, no checkout) gate. PR-only: manual dispatch always runs
+    # the smoke matrix unconditionally (see the `if` on smoke).
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    outputs:
+      release: ${{ steps.filter.outputs.release }}
+    steps:
+      - uses: dorny/paths-filter@v3
+        id: filter
+        with:
+          # True when the PR touches the tag-release machinery or anything it
+          # ships. Matches the paths this workflow used to filter on at the
+          # trigger; PRs that touch none of these skip the two kind smokes.
+          filters: |
+            release:
+              - '.github/workflows/release-smoke.yml'
+              - '.github/workflows/docker-publish.yml'
+              - '.github/workflows/release-assets.yml'
+              - '.github/workflows/helm-publish.yml'
+              - 'hack/release-smoke.sh'
+              - 'charts/**'
+              - 'Makefile'
+              - 'Dockerfile'
+              - 'api/**'
+
   smoke:
+    needs: changes
+    # Always run on manual dispatch; for PRs, run only when release-relevant
+    # files changed. When skipped, each matrix leg's required check still
+    # reports as "skipped" (= passing), so the PR is not blocked.
+    if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.release == 'true' }}
     runs-on: ubuntu-latest
     timeout-minutes: 30
     permissions: