fix(ci): Replace tj-actions/changed-files with dorny/paths-filter in seed-dockers workflow

[devin-ai-integration]

Description

Fixes the seed-dockers.yml workflow which was failing with:

Error from function 'fromJSON': Unexpected symbol: 'docker'. Located at line 1 position 1 within JSON.

The workflow attempted to use fromJSON() on space-delimited file paths from check-for-changed-files. This PR implements boolean-based gating following the pattern from seed.yml, and adds manual workflow_dispatch inputs to select which containers to rebuild.

Link to Devin run: https://app.devin.ai/sessions/97f8791d44cc4778a0f3b4acc0a9f1dd
Requested by: Niels Swimberghe (@Swimburger)

Changes Made

Core Architecture Change:

• Split single build-container job into four separate jobs (build-ts, build-java, build-python, build-csharp)
• Each job has job-level if: needs.changes.outputs.<pkg> == 'true' condition
• Each job still uses matrix for runner × arch dimensions
• Required because GitHub Actions doesn't allow matrix.* references in job-level if conditions

Change Detection (lines 42-117):

• Replaced single check-for-changed-files call with separate calls per package + workflow file
• Changed outputs from file paths to boolean flags (ts, java, python, csharp)
• Added "Set outputs" step that branches on github.event_name:
  • workflow_dispatch: Uses manual inputs to set booleans
  • push: Uses path-based change detection with any_changed outputs
  • If workflow file changed: Sets all packages to true (rebuilds everything)

Manual Trigger Support (lines 10-31):

• Added workflow_dispatch inputs: all, ts, java, python, csharp (all boolean)
• Allows manual selection of which seed containers to rebuild
• all input rebuilds everything for convenience

Manifest Merging (lines 325-371):

• Updated merge-manifests to depend on all four build jobs
• Added step to build space-delimited package list from boolean outputs
• Removed jq JSON parsing, uses simple bash iteration

Testing

⚠️ Cannot be fully tested in PR - This workflow only runs on:

• Push to main branch with changes to docker/seed/* or the workflow file
• Manual workflow_dispatch

The implementation follows the exact pattern from seed.yml (lines 291-984) which uses separate jobs per language with boolean-based gating.

Review Checklist

Critical items to verify:

• Job-level if conditions (lines 129, 179, 228, 277): Each build job correctly checks needs.changes.outputs.<pkg> == 'true'. Note the string comparison with quotes.

• Job dependencies (line 327): merge-manifests depends on all four build jobs. Verify this works correctly when some jobs are skipped (GitHub Actions should handle this, but worth confirming).

• String comparison format: Confirm that check-for-changed-files outputs any_changed as the string "true" (not boolean true), so comparisons like == 'true' work correctly.

• Manual input handling (lines 87-101): Verify the logic for workflow_dispatch inputs:

  • If inputs.all == true: rebuilds all images
  • Otherwise: rebuilds only selected packages from individual inputs
  • If no packages selected: all jobs skip (is this acceptable?)

• Workflow rebuild behavior (lines 104-109): Changes to .github/workflows/seed-dockers.yml now trigger rebuilds of ALL images. Confirm this is desired behavior.

• Package names consistency: Verify package names (ts, java, python, csharp) match Dockerfile suffixes (e.g., Dockerfile.ts, Dockerfile.java).

• Matrix exclusions (lines 134-140, etc.): Confirm runner/arch exclusions still work correctly with the new job structure.

Risks:

• Cannot validate changes until merged to main or manually triggered
• Complex boolean gating logic across multiple jobs
• Behavioral change for workflow file modifications (now rebuilds all)
• Manual inputs are new functionality without test coverage
• Job dependency chain could fail if GitHub Actions doesn't handle skipped jobs correctly

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[Swimburger]

Let's keep using ./.github/actions/check-for-changed-files instead, and use the non-JSON output, update the logic not to use JSON

[devin-ai-integration]

Thanks for the feedback! I'll update the approach to keep using ./.github/actions/check-for-changed-files and handle the non-JSON output properly.

Here's the plan:

1. Restore the original composite action call
2. Add a shell script step to convert the space-delimited file paths to package names (ts, java, python, csharp)
3. Output both a JSON array (for the matrix) and a space-delimited list (for conditions and loops)
4. Update the conditional checks to use the space-delimited list instead of JSON parsing
5. Update the merge-manifests loop to use the space-delimited list

This way we avoid JSON parsing of the changed-files output entirely, and only use JSON for the matrix definition (which GitHub Actions requires).

I'll also need to confirm: should changes to .github/workflows/seed-dockers.yml trigger rebuilds of all images? The current filter includes it, so I'll assume yes and map workflow changes to all four packages.

Working on this now!

[Swimburger]

How are other workflows doing filtering based on paths and triggering specific jobs only if files changed? Mimic their logic

[devin-ai-integration]

Good point! I'll switch to the same pattern used in seed.yml and other workflows:

1. Call ./.github/actions/check-for-changed-files multiple times (once per package)
2. Use boolean outputs (any_changed) instead of parsing file paths
3. Use a static matrix with boolean gating (like seed.yml does)
4. Avoid custom JSON/shell parsing entirely

This will match the existing patterns in the repository. Working on this now!

[Swimburger]

Make sure you only build the images that have changed

[devin-ai-integration]

The implementation does build only changed images! The boolean gating logic works like this:

build-container job (line 91):

• Uses a static matrix [ts, java, python, csharp] × [ubuntu-latest, ubuntu-24.04-arm] × [amd64, arm64]
• The job-level if condition is evaluated per matrix combination
• For example, if only Dockerfile.ts changed:
  • ts + ubuntu-latest + amd64: (true && true) || (false && false) || ... = true → runs
  • java + ubuntu-latest + amd64: (false && true) || (true && false) || ... = false → skipped
  • Same for python and csharp → skipped

merge-manifests job (lines 158-175):

• Builds a space-delimited list from only the packages whose booleans are true
• Only creates manifests for images that were actually built

This matches the pattern from seed.yml where jobs are gated by boolean outputs. The matrix still enumerates all combinations, but non-matching ones are skipped (they don't consume runners).

One question: Should workflow_dispatch (manual runs) rebuild all images or only changed ones? Currently, manual runs only build changed images. If you want manual runs to rebuild everything, I can add that logic.

[Swimburger]

For manual, let us choose which seed containers to rebuild from input

[devin-ai-integration]

Good idea! I'll add workflow_dispatch inputs to allow selecting which seed containers to rebuild:

• Boolean input for each package: ts, java, python, csharp
• An all toggle for convenience to rebuild everything
• The "Set outputs" step will use these inputs when manually triggered

This way you can manually trigger the workflow and choose exactly which containers to rebuild. Working on this now!