ci: make DCO advisory and run workflows on PR synchronize (#123)

* ci: make DCO advisory and run workflows on PR synchronize

- convert DCO check to advisory non-blocking mode

- add/align synchronize triggers for PR workflows

- add PR-safe validation jobs for release/stale/reminder flows

* ci: make PR docker validation non-blocking

Author: aviralgarg05

.github/workflows/ci.yml

@@ -4,6 +4,7 @@ on:
   push:
     branches: [main]
   pull_request:
+    types: [opened, reopened, synchronize]
     branches: [main]
 
 permissions:

.github/workflows/codeql.yml

@@ -4,6 +4,7 @@ on:
     push:
         branches: [main]
     pull_request:
+        types: [opened, reopened, synchronize]
         branches: [main]
     schedule:
         - cron: "0 0 * * 1" # Weekly on Monday

.github/workflows/dco.yml

@@ -2,6 +2,7 @@ name: DCO Check
 
 on:
     pull_request:
+        types: [opened, reopened, synchronize, edited]
         branches: [main]
 
 permissions:
@@ -17,20 +18,32 @@ jobs:
             - uses: actions/checkout@v4
               with:
                   fetch-depth: 0
-            - name: Check DCO Sign-off
+            - name: Check DCO Sign-off (non-blocking)
               run: |
                   commits=$(git log --format='%H %s' origin/${{ github.base_ref }}..HEAD)
                   failed=0
+                  missing=""
                   while IFS= read -r line; do
+                    [ -z "$line" ] && continue
                     hash=$(echo "$line" | awk '{print $1}')
                     msg=$(git log -1 --format='%B' "$hash")
                     if ! echo "$msg" | grep -q "Signed-off-by:"; then
-                      echo "Missing Signed-off-by in commit: $hash"
+                      echo "::warning::Missing Signed-off-by in commit: $hash"
+                      missing="${missing}"$'\n'"- ${hash}"
                       failed=1
                     fi
                   done <<< "$commits"
                   if [ $failed -eq 1 ]; then
-                    echo "DCO check failed. Please sign off your commits with 'git commit -s'"
-                    exit 1
+                    echo "DCO sign-off missing in one or more commits."
+                    echo "For now this check is advisory; recommended fix: rebase and use 'git commit -s'."
+                    {
+                      echo "### DCO Advisory"
+                      echo "Missing sign-off commits detected:${missing}"
+                      echo ""
+                      echo "Recommended fix:"
+                      echo "- Rebase your branch and amend commits with: \`git commit --amend -s\`"
+                      echo "- For multiple commits use interactive rebase and sign each commit."
+                    } >> "$GITHUB_STEP_SUMMARY"
+                    exit 0
                   fi
                   echo "All commits have DCO sign-off"

.github/workflows/dependency-review.yml

@@ -2,6 +2,7 @@ name: "Dependency Review"
 
 on:
     pull_request:
+        types: [opened, reopened, synchronize]
         branches: [main]
 
 permissions:

.github/workflows/docker-release.yml

@@ -3,6 +3,9 @@ name: Build and Release Docker Image
 on:
   release:
     types: [created]
+  pull_request:
+    types: [opened, reopened, synchronize]
+    branches: [main]
 
 jobs:
   build:
@@ -15,16 +18,19 @@ jobs:
         uses: docker/setup-buildx-action@v3
 
       - name: Docker Hub account login
+        if: github.event_name == 'release'
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Extract release tag
+        if: github.event_name == 'release'
         id: meta
         run: echo "version=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
 
       - name: Build and push Docker image
+        if: github.event_name == 'release'
         uses: docker/build-push-action@v6
         with:
           context: .
@@ -36,3 +42,12 @@ jobs:
             ${{ secrets.DOCKERHUB_USERNAME }}/nexumdb:${{ github.sha }}
           cache-from: type=registry,ref=${{ secrets.DOCKERHUB_USERNAME }}/nexumdb:buildcache
           cache-to: type=registry,ref=${{ secrets.DOCKERHUB_USERNAME }}/nexumdb:buildcache,mode=max
+
+      - name: PR Docker build validation
+        if: github.event_name == 'pull_request'
+        continue-on-error: true
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: Dockerfile
+          push: false

.github/workflows/pr-commenter.yml

@@ -2,7 +2,7 @@ name: PR Auto Commenter
 
 on:
     pull_request:
-        types: [opened, reopened]
+        types: [opened, reopened, synchronize]
 
 permissions:
     pull-requests: write
@@ -34,7 +34,10 @@ jobs:
                       const hasCIChanges = changedFiles.some(f => f.startsWith('.github/workflows/'));
                       const hasTestChanges = changedFiles.some(f => f.includes('test'));
 
-                      let comment = `## Thank you for your contribution, @${prAuthor}!\n\n`;
+                      const marker = '<!-- nexum-pr-auto-comment -->';
+
+                      let comment = `${marker}\n`;
+                      comment += `## Thank you for your contribution, @${prAuthor}!\n\n`;
                       comment += `### PR Analysis\n\n`;
                       comment += `**Files Changed:** ${files.length}\n`;
                       comment += `**Components:**\n`;
@@ -75,9 +78,29 @@ jobs:
                       comment += `**Tip:** CodeRabbit will automatically review your PR. Address any feedback before requesting human review.\n`;
                       comment += `New to contributing? Check out [CONTRIBUTING.md](../blob/main/CONTRIBUTING.md) for guidelines.\n`;
 
-                      await github.rest.issues.createComment({
+                      const { data: comments } = await github.rest.issues.listComments({
                         owner: context.repo.owner,
                         repo: context.repo.repo,
                         issue_number: prNumber,
-                        body: comment
+                        per_page: 100
                       });
+
+                      const existing = comments.find(c =>
+                        c.user.type === 'Bot' && c.body && c.body.includes(marker)
+                      );
+
+                      if (existing) {
+                        await github.rest.issues.updateComment({
+                          owner: context.repo.owner,
+                          repo: context.repo.repo,
+                          comment_id: existing.id,
+                          body: comment
+                        });
+                      } else {
+                        await github.rest.issues.createComment({
+                          owner: context.repo.owner,
+                          repo: context.repo.repo,
+                          issue_number: prNumber,
+                          body: comment
+                        });
+                      }

.github/workflows/pr-review-reminder.yml

@@ -1,6 +1,9 @@
 name: PR Review Reminder
 
 on:
+    pull_request:
+        types: [opened, reopened, synchronize]
+        branches: [main]
     schedule:
         # Run every 6 hours
         - cron: '0 */6 * * *'
@@ -11,8 +14,16 @@ permissions:
     contents: read
 
 jobs:
+    pr-sync-check:
+        runs-on: ubuntu-latest
+        if: github.event_name == 'pull_request'
+        steps:
+            - name: PR sync trigger acknowledged
+              run: echo "PR synchronize trigger received for review reminder workflow."
+
     remind-reviewers:
         runs-on: ubuntu-latest
+        if: github.event_name != 'pull_request'
         steps:
             - name: Check for PRs awaiting review
               uses: actions/github-script@v7

.github/workflows/release-please.yml

@@ -4,6 +4,10 @@ on:
     push:
         branches:
             - main
+    pull_request:
+        types: [opened, reopened, synchronize]
+        branches:
+            - main
     # Also allow manual trigger
     workflow_dispatch:
 
@@ -12,10 +16,23 @@ permissions:
     pull-requests: write
 
 jobs:
+    release-config-check:
+        runs-on: ubuntu-latest
+        if: github.event_name == 'pull_request'
+        permissions:
+            contents: read
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v4
+
+            - name: Validate release-please config files
+              run: |
+                  jq empty release-please-config.json
+                  jq empty .release-please-manifest.json
+
     release-please:
         runs-on: ubuntu-latest
-        # Only run if NOT from bots or automated PR merges
-        if: github.event_name == 'workflow_dispatch' || (github.actor != 'dependabot[bot]' && github.actor != 'github-actions[bot]' && !contains(github.event.head_commit.message, 'Merge pull request'))
+        if: github.event_name != 'pull_request' && (github.event_name == 'workflow_dispatch' || (github.actor != 'dependabot[bot]' && github.actor != 'github-actions[bot]' && !contains(github.event.head_commit.message, 'Merge pull request')))
         steps:
             - uses: googleapis/release-please-action@v4
               id: release

.github/workflows/sbom.yml

@@ -3,6 +3,9 @@ name: Generate SBOM
 on:
     release:
         types: [published]
+    pull_request:
+        types: [opened, reopened, synchronize]
+        branches: [main]
     workflow_dispatch:
 
 permissions:

.github/workflows/stale.yml

@@ -1,6 +1,9 @@
 name: Stale Issues and PRs
 
 on:
+    pull_request:
+        types: [opened, reopened, synchronize]
+        branches: [main]
     schedule:
         - cron: "30 1 * * *" # Run daily at 1:30 AM UTC
     workflow_dispatch:
@@ -10,8 +13,16 @@ permissions:
     pull-requests: write
 
 jobs:
+    pr-sync-check:
+        runs-on: ubuntu-latest
+        if: github.event_name == 'pull_request'
+        steps:
+            - name: PR sync trigger acknowledged
+              run: echo "PR synchronize trigger received for stale workflow."
+
     stale:
         runs-on: ubuntu-latest
+        if: github.event_name != 'pull_request'
         steps:
             - uses: actions/stale@v9
               with: