v3.3.0: path-based rules + promotion idempotency Heavy build jobs gate on rules: changes: paths: via new build_change_paths input. Doc-only / settings-only / CI-only pushes to main no longer trigger rebuilds. MR + schedule pipelines unchanged. Promotion steps (validate.yml, instance.yml, base-build-scratch.yml, container-build.yml) now compare source and destination digests before skopeo copy. No-op promotions log and skip. container-build.yml job_rules default changed: previously unconditional, now path-gated on main push. Consumers can restore old behavior via inputs.job_rules. New input: build_change_paths (array). Default covers images/**, modules/**, manifests/**, Containerfile*, .gitlab-ci.yml.