Build: Simplify CI workflow path filters to avoid per-workflow maintenance

[kevinjqliu]

Switches 6 CI workflows from paths-ignore with individual workflow file listings to paths with !.github/** glob + self-allowlist.

Before, adding/renaming/removing a workflow required updating the ignore list in all 6 CI files. Now, only the workflow's own file is allowlisted and everything else under .github/ is excluded automatically.

Motivation

Every PR that adds, renames, or removes a workflow file must update the paths-ignore list in all 6 CI workflows, adding boilerplate changes unrelated to the PR's purpose. Recent examples:

• Build: Improve PR title check pattern for multi-word prefixes and reverts #16301 (PR title check) — added pr-title-check.yml, required updating 6 CI files
• INFRA: Expand Trivy CVE scan to all bundle and runtime modules #16291 (CVE scan expansion) — renamed kafka-connect-cve-scan.yml → cve-scan.yml, required updating 6 CI files
• Kafka Connect: Add Trivy CVE scan to CI #15430 (Kafka Connect CVE scan) — added kafka-connect-cve-scan.yml, required updating 6 CI files

Pattern

Following the pattern used by pyiceberg:

pull_request:
  paths:
  - '**'
  - '!.github/**'
  - '.github/workflows/<self>.yml'
  - '!docs/**'
  # ... other exclusions

1. ** — include all files
2. !.github/** — exclude everything under .github/
3. .github/workflows/<self>.yml — re-include the workflow's own file (later patterns override earlier ones)
4. Remaining ! entries exclude docs, metadata, and unrelated engine modules

Testing

Wrote a validation script simulating GitHub Actions path matching for both old (paths-ignore) and new (paths) configs across all 6 workflows. Tested 53 representative file paths covering:

• Source code (core, api, data, parquet, orc, aws, build files)
• Engine-specific modules (spark, flink, kafka-connect, mr, arrow, delta-lake, hive)
• Own workflow file vs other workflow files
• .github/ files not in the old explicit lists (new workflows, dependabot, CODEOWNERS)
• Docs, metadata, and config files (.gitignore, README, LICENSE, etc.)

Results: All paths match old behavior except .github/ files that were missing from the old ignore lists (e.g., brand-new-workflow.yml, pr-title-check.yml, dependabot.yml, CODEOWNERS). These correctly change from TRIGGER → SKIP — the old behavior was a maintenance bug where unlisted files would needlessly trigger all CI workflows.

[kevinjqliu]

should also include .github/workflows/cve-scan.yml when its merged

https://github.com/apache/iceberg/pull/16287/files#diff-b9a3df5364290d7430a379df61028521a5934e6a5f93b1530a2802f1ed9d7e26R30

[manuzhang]

@kevinjqliu I had a similar PR before but @amogh-jahagirdar had some general concerns on this approach.