Speed up and simplify PR pipelines

.github/workflows/build.yml

@@ -179,7 +179,15 @@ jobs:
       - name: Inspect SBOM and output manifest
         if: ${{ !inputs.dry_run }}
         run: |
+          # For single-platform builds, SBOM is not indexed by platform
+          # For multi-platform builds, we need to index by platform
+          if [[ "${{ inputs.platforms }}" == *","* ]] || [[ "${{ inputs.platforms }}" == *" "* ]]; then
+          # Multi-platform build - index by platform
           docker buildx imagetools inspect localhost:5000/nginx-gateway-fabric/${{ inputs.image }}:${{ steps.meta.outputs.version }} --format '{{ json (index .SBOM "linux/amd64").SPDX }}' > sbom-${{ inputs.image }}.json
+          else
+          # Single-platform build - SBOM is at top level
+          docker buildx imagetools inspect localhost:5000/nginx-gateway-fabric/${{ inputs.image }}:${{ steps.meta.outputs.version }} --format '{{ json .SBOM.SPDX }}' > sbom-${{ inputs.image }}.json
+          fi
           docker buildx imagetools inspect localhost:5000/nginx-gateway-fabric/${{ inputs.image }}:${{ steps.meta.outputs.version }} --raw
 
       - name: Scan SBOM

.github/workflows/ci.yml

@@ -110,6 +110,7 @@ jobs:
       min_k8s_version: ${{ steps.vars.outputs.min_k8s_version }}
       k8s_latest: ${{ steps.vars.outputs.k8s_latest }}
       helm_changes: ${{ steps.filter.outputs.charts }}
+      operator_changes: ${{ steps.filter.outputs.operator }}
     steps:
       - name: Checkout Repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -136,7 +137,7 @@ jobs:
           go-version: stable
           cache-dependency-path: |
             go.sum
-            .github/.cache/buster-for-vars
+            tests/go.sum
 
       - name: Check for changes
         uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
@@ -145,6 +146,9 @@ jobs:
           filters: |
             charts:
             - charts/nginx-gateway-fabric/**/*
+            operator:
+            - operators/**/*
+            - charts/nginx-gateway-fabric/**/*
 
       - name: Output Variables
         id: vars
@@ -188,7 +192,7 @@ jobs:
           go-version: stable
           cache-dependency-path: |
             go.sum
-            .github/.cache/buster-for-unit-tests
+            tests/go.sum
 
       - name: Run Tests
         run: make unit-test
@@ -217,6 +221,8 @@ jobs:
         uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
           node-version-file: .nvmrc
+          cache: 'npm'
+          cache-dependency-path: internal/controller/nginx/modules/package-lock.json
 
       - name: Run tests
         run: npm --prefix ${{ github.workspace }}/internal/controller/nginx/modules install-ci-test
@@ -229,7 +235,8 @@ jobs:
   binary:
     name: Build Binary
     runs-on: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || ((github.event_name == 'push' || github.event_name == 'schedule') && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release-')))) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }}
-    needs: [vars, unit-tests, njs-unit-tests]
+    # Run in parallel with tests - they're independent validations
+    needs: [vars]
     outputs:
       json: ${{ steps.gateway_binaries.outputs.json }}
     permissions:
@@ -263,7 +270,7 @@ jobs:
           go-version: stable
           cache-dependency-path: |
             go.sum
-            .github/.cache/buster-for-binary
+            tests/go.sum
 
       - name: Set Go module cache
         run: |
@@ -295,7 +302,9 @@ jobs:
         uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
         with:
           version: v2.12.7 # renovate: datasource=github-tags depName=goreleaser/goreleaser
-          args: ${{ (inputs.is_production_release && (inputs.dry_run == false || inputs.dry_run == null)) && 'release' || 'build --snapshot' }} --clean
+          # On PRs: build only amd64 for speed (tests run on amd64 runners)
+          # On main/release: build both amd64 and arm64
+          args: ${{ (inputs.is_production_release && (inputs.dry_run == false || inputs.dry_run == null)) && 'release' || (github.event_name == 'pull_request' && 'build --single-target --snapshot' || 'build --snapshot') }} --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GOPATH: ${{ needs.vars.outputs.go_path }}
@@ -404,8 +413,12 @@ jobs:
       fail-fast: false
       matrix:
         image: [ngf, nginx]
-        platforms: ["linux/arm64, linux/amd64"]
-        build-os: ["", ubi]
+        # On PRs: build only amd64 for speed (tests run on amd64)
+        # On main/release: build both amd64 and arm64
+        platforms: ${{ github.event_name == 'pull_request' && fromJSON('["linux/amd64"]') || fromJSON('["linux/arm64, linux/amd64"]') }}
+        # On PRs: only standard OS (2 jobs)
+        # On main/release: include ubi (4 jobs)
+        build-os: ${{ github.event_name == 'pull_request' && fromJSON('[""]') || fromJSON('["", "ubi"]') }}
     uses: ./.github/workflows/build.yml
     with:
       image: ${{ matrix.image }}
@@ -428,10 +441,14 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        build-os: ["", ubi]
+        # On PRs: only standard OS (1 job)
+        # On main/release: include ubi (2 jobs)
+        build-os: ${{ github.event_name == 'pull_request' && fromJSON('[""]') || fromJSON('["", "ubi"]') }}
     with:
       image: plus
-      platforms: "linux/arm64, linux/amd64"
+      # On PRs: build only amd64 for speed (tests run on amd64)
+      # On main/release: build both amd64 and arm64
+      platforms: ${{ github.event_name == 'pull_request' && 'linux/amd64' || 'linux/arm64, linux/amd64' }}
       build-os: ${{ matrix.build-os }}
       tag: ${{ inputs.release_version || '' }}
       dry_run: ${{ inputs.dry_run || false }}
@@ -449,7 +466,9 @@ jobs:
     uses: ./.github/workflows/build.yml
     with:
       image: operator
-      platforms: "linux/arm64, linux/amd64"
+      # On PRs: build only amd64 for speed (tests run on amd64)
+      # On main/release: build both amd64 and arm64
+      platforms: ${{ github.event_name == 'pull_request' && 'linux/amd64' || 'linux/arm64, linux/amd64' }}
       tag: ${{ inputs.operator_version || '' }}
       dry_run: ${{ inputs.dry_run || false }}
       runner: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || ((github.event_name == 'push' || github.event_name == 'schedule') && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release-')))) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }}
@@ -459,20 +478,19 @@ jobs:
       packages: write # for docker/build-push-action to push to GHCR
       id-token: write # for docker/login to login to NGINX registry
     secrets: inherit
+    if: ${{ needs.vars.outputs.operator_changes == 'true' || github.event_name == 'push' || github.event_name == 'schedule' || inputs.is_production_release }}
 
   functional-tests:
     name: Functional tests
     needs: [vars, build-oss, build-plus]
     strategy:
       fail-fast: false
       matrix:
-        image: [nginx, plus]
-        build-os: ["", ubi]
-        k8s-version:
-          [
-            "${{ needs.vars.outputs.min_k8s_version }}",
-            "${{ needs.vars.outputs.k8s_latest }}",
-          ]
+        # On PRs: run nginx + plus with latest k8s only (2 jobs)
+        # On main/release: run full matrix (8 jobs)
+        image: ${{ github.event_name == 'pull_request' && fromJSON('["nginx", "plus"]') || fromJSON('["nginx", "plus"]') }}
+        build-os: ${{ github.event_name == 'pull_request' && fromJSON('[""]') || fromJSON('["", "ubi"]') }}
+        k8s-version: ${{ github.event_name == 'pull_request' && fromJSON(format('["{0}"]', needs.vars.outputs.k8s_latest)) || fromJSON(format('["{0}", "{1}"]', needs.vars.outputs.min_k8s_version, needs.vars.outputs.k8s_latest)) }}
     uses: ./.github/workflows/functional.yml
     with:
       image: ${{ matrix.image }}
@@ -488,14 +506,12 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        image: [nginx, plus]
-        build-os: ["", ubi]
-        k8s-version:
-          [
-            "${{ needs.vars.outputs.min_k8s_version }}",
-            "${{ needs.vars.outputs.k8s_latest }}",
-          ]
-        enable-experimental: [true, false]
+        # On PRs: run nginx only, latest k8s, experimental enabled (1 job - most coverage)
+        # On main/release: run full matrix (16 jobs)
+        image: ${{ github.event_name == 'pull_request' && fromJSON('["nginx"]') || fromJSON('["nginx", "plus"]') }}
+        build-os: ${{ github.event_name == 'pull_request' && fromJSON('[""]') || fromJSON('["", "ubi"]') }}
+        k8s-version: ${{ github.event_name == 'pull_request' && fromJSON(format('["{0}"]', needs.vars.outputs.k8s_latest)) || fromJSON(format('["{0}", "{1}"]', needs.vars.outputs.min_k8s_version, needs.vars.outputs.k8s_latest)) }}
+        enable-experimental: ${{ github.event_name == 'pull_request' && fromJSON('[true]') || fromJSON('[true, false]') }}
     uses: ./.github/workflows/conformance.yml
     with:
       image: ${{ matrix.image }}
@@ -586,7 +602,7 @@ jobs:
           go-version: stable
           cache-dependency-path: |
             go.sum
-            .github/.cache/buster-for-unit-tests
+            tests/go.sum
 
       - name: Deploy Kubernetes
         id: k8s

.github/workflows/lint.yml

@@ -45,6 +45,9 @@ jobs:
         uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
           go-version: stable
+          cache-dependency-path: |
+            go.sum
+            tests/go.sum
 
       - name: Lint Go
         uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
@@ -63,6 +66,8 @@ jobs:
         uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
           node-version-file: .nvmrc
+          cache: 'npm'
+          cache-dependency-path: internal/controller/nginx/modules/package-lock.json
 
       - name: Run Prettier on NJS code
         id: prettier-run

.github/workflows/renovate-build.yml

@@ -66,7 +66,7 @@ jobs:
           go-version: stable
           cache-dependency-path: |
             go.sum
-            .github/.cache/buster-for-generate
+            tests/go.sum
 
       # go mod tidy can be removed once https://github.com/renovatebot/renovate/issues/12999 is implemented
       - name: Update files for renovate