Clean up CI bypassers exposed by PR #1318 merge

- Backend CI `changes` job: scope to pull_request events. dorny/paths-filter@v3
  shells out to `git branch --show-current` on push events and fails without a
  checkout, so every push to main produced a red-X `changes` job silently
  masked by `continue-on-error: true` plus the fail-open `|| push` gate on
  downstream jobs. Downstream `if:` conditions rewritten with `always()` so
  the intentional skip on push no longer cascades.
- Frontend CI: drop the leftover tippy-debug step in the lint job.
- codecov-notify: sort `matching` by created_at desc before taking [0] instead
  of relying on undocumented API ordering.

Closes #1319 follow-ups 1 and 2.

Author: JSv4

.github/workflows/backend.yml

@@ -25,6 +25,13 @@ concurrency:
 
 jobs:
   changes:
+    # Path filtering only gates pull_request events; pushes to protected
+    # branches always run downstream regardless of which files changed.
+    # dorny/paths-filter@v3 additionally needs a checked-out repo on push
+    # events (it shells out to `git branch --show-current`), so scoping
+    # this job to pull_request avoids the "fatal: not a git repository"
+    # red X that would otherwise appear on every push to main.
+    if: github.event_name == 'pull_request'
     runs-on: ubuntu-latest
     # Fail open: if this job errors (e.g., transient GitHub API failure),
     # downstream jobs should still run rather than being silently skipped.
@@ -35,7 +42,8 @@ jobs:
     outputs:
       backend: ${{ steps.filter.outputs.backend }}
     steps:
-      # No checkout needed: dorny/paths-filter@v3 fetches diffs via the GitHub API.
+      # No checkout needed: dorny/paths-filter@v3 reads diffs from the
+      # pull_request event payload.
       - uses: dorny/paths-filter@v3
         id: filter
         with:
@@ -55,12 +63,13 @@ jobs:
 
   linter:
     needs: changes
-    # Skipping via path filter only applies to PRs with no backend changes.
-    # Push events to protected branches always run unconditionally.
-    # Using `!= 'false'` rather than `== 'true'` so a transient `changes` failure
-    # (outputs.backend is '' when the job errors under continue-on-error) still
-    # runs downstream jobs — the actual "fail open" behavior.
-    if: needs.changes.outputs.backend != 'false' || github.event_name == 'push'
+    # Run on every push, and on PRs unless the filter explicitly reports
+    # no backend changes ('false'). `always()` is required because the
+    # `changes` job is skipped on push events (see its `if:` above), and
+    # a skipped `needs` target would otherwise cascade-skip this job.
+    # The `!= 'false'` form also preserves the fail-open behaviour on
+    # PRs where `changes` errors transiently (outputs.backend is '').
+    if: always() && (github.event_name == 'push' || needs.changes.outputs.backend != 'false')
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -86,7 +95,7 @@ jobs:
   pytest:
     needs: [changes, linter]
     # Same fail-open semantics as the linter gate above.
-    if: needs.changes.outputs.backend != 'false' || github.event_name == 'push'
+    if: always() && needs.linter.result == 'success' && (github.event_name == 'push' || needs.changes.outputs.backend != 'false')
     runs-on: yuge
     timeout-minutes: 180
     permissions:

.github/workflows/codecov-notify.yml

@@ -45,9 +45,10 @@ jobs:
               "Frontend E2E Integration",
             ];
 
-            // Fetch every workflow run attached to this SHA. The API returns
-            // the most recent attempt per workflow first, which is the one we
-            // care about after re-runs.
+            // Fetch every workflow run attached to this SHA. Sort explicitly
+            // by created_at desc so we always pick the most recent attempt
+            // per workflow (after re-runs) rather than relying on undocumented
+            // API ordering.
             const runs = await github.paginate(
               github.rest.actions.listWorkflowRunsForRepo,
               {
@@ -61,7 +62,13 @@ jobs:
             let allDone = true;
             const runIds = {};
             for (const name of expected) {
-              const matching = runs.filter((r) => r.name === name);
+              const matching = runs
+                .filter((r) => r.name === name)
+                .sort(
+                  (a, b) =>
+                    new Date(b.created_at).getTime() -
+                    new Date(a.created_at).getTime()
+                );
               if (matching.length === 0) {
                 core.info(`${name}: no run for this SHA (path-filtered) — OK`);
                 continue;

.github/workflows/frontend.yml

@@ -35,15 +35,6 @@ jobs:
       - name: Clear Yarn Cache
         run: yarn cache clean
 
-      - name: Debug - Check for tippy references
-        run: |
-          echo "=== Checking package.json for tippy ==="
-          grep -i tippy package.json || echo "No tippy in package.json"
-          echo "=== Checking yarn.lock for tippy ==="
-          grep -i tippy yarn.lock || echo "No tippy in yarn.lock"
-          echo "=== yarn.lock hash ==="
-          shasum yarn.lock
-
       - name: Install Dependencies
         run: yarn install --frozen-lockfile # Use frozen lockfile for CI
 

CHANGELOG.md

@@ -9,6 +9,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
+- **Backend CI `changes` job failed on every push to main** (`.github/workflows/backend.yml`): `dorny/paths-filter@v3` was declared without a prior `actions/checkout`, on the stated premise that the action "fetches diffs via the GitHub API". That is only true for `pull_request` events; on `push` events the action shells out to `git branch --show-current`, which fails with `fatal: not a git repository` when the workspace is empty. Every push to a protected branch therefore produced a red X on the `changes` job, silently masked by `continue-on-error: true` plus a `|| github.event_name == 'push'` fail-open gate on downstream jobs. Scoped the `changes` job to `pull_request` events (`if: github.event_name == 'pull_request'`) — where paths-filter actually works — and rewrote the downstream gates on `linter` / `pytest` as `if: always() && (github.event_name == 'push' || needs.changes.outputs.backend != 'false')` so the skip cascade from a `needs`-target that is now intentionally skipped on push does not block the real test jobs. Behaviour preserved: push always runs `linter` + `pytest`; PRs with no backend changes still skip both; PRs where the filter errors transiently (outputs.backend == '') still fail open.
+- **Frontend CI tippy-debug step removed** (`.github/workflows/frontend.yml`): Dropped the `Debug - Check for tippy references` step in the `lint` job — a leftover investigation artifact that ran on every PR/push and produced noise with no diagnostic value today. Flagged in Issue #1319.
+- **Codecov-notify `matching[0]` relied on undocumented API ordering** (`.github/workflows/codecov-notify.yml`): The cross-workflow coordinator picked the "most recent" workflow run per expected name by indexing `matching[0]` on the filter result, leaning on the GitHub Actions REST API returning results newest-first. That ordering is not guaranteed. Added an explicit `created_at` descending sort before taking `matching[0]`, so re-run detection is correct regardless of API-side quirks. Flagged in Issue #1319.
+
 - **Frontend coverage badge reported ~31% despite months of added tests** (`README.md:12`, `.github/workflows/codecov-notify.yml`, `.codecov.yml`, `frontend/vite.config.ts:210-223`): The README's "Frontend coverage" badge was pointing at `flag=frontend-unit` — the Vitest slice only. The three frontend suites (Vitest unit, Playwright component via `vite-plugin-istanbul`, Playwright E2E via `vite-plugin-istanbul`) upload to separate Codecov flags (`frontend-unit`, `frontend-component`, `frontend-e2e`) and were never merged into a single lcov. Recent PRs almost exclusively added Playwright component and E2E tests, so their coverage landed in `frontend-component`/`frontend-e2e` while the badge stayed stuck reading the Vitest slice.
   - Added an `Upload {unit,CT,E2E} lcov artifact` step (using `actions/upload-artifact@v7`) to each producing job in `.github/workflows/frontend.yml` (`component-test` and `unit-test`) and `.github/workflows/frontend-e2e.yml` (`e2e`). The existing per-flag Codecov uploads are untouched, so per-suite drill-in still works.
   - Extended the existing cross-workflow coordinator at `.github/workflows/codecov-notify.yml` to download the three artifacts by run id (via `actions/download-artifact@v7` with `continue-on-error: true` to tolerate path-filtered skips and upload failures), merge them with `npx lcov-result-merger@5`, and upload the combined lcov to Codecov under a new `frontend` flag before calling `send-notifications`. The existing `listWorkflowRunsForRepo` check already discovers the producing runs by SHA — it now also emits `frontend_ci_run_id` and `frontend_e2e_run_id` outputs for the downloads to consume.