NOISSUE fix schedule group resolution to CI workflow and update permissions

Signed-off-by: Mehmet Samet Duman <yongdohyun@projecttick.org>
author: Mehmet Samet Duman <yongdohyun@projecttick.org> 2026-04-04 19:52:56 +0300
committer: Mehmet Samet Duman <yongdohyun@projecttick.org> 2026-04-04 19:52:56 +0300
commit: e7c29e7b774c6c6db3ebfe261dfc7ec3c77550e0 (patch)
tree: 56ac41f12f415efaac59c0b6c02e6a09b1eec20a /.github
parent: 8d0d919fbf43230148da7533519ed0ffdfaa4197 (diff)
download: Project-Tick-e7c29e7b774c6c6db3ebfe261dfc7ec3c77550e0.tar.gz
Project-Tick-e7c29e7b774c6c6db3ebfe261dfc7ec3c77550e0.zip
2 files changed, 50 insertions, 24 deletions
diff --git a/.github/workflows/ci-schedule.yml b/.github/workflows/ci-schedule.yml
index 1c933d6b26..3c4ab1c603 100644
--- a/.github/workflows/ci-schedule.yml
+++ b/.github/workflows/ci-schedule.yml
@@ -31,27 +31,41 @@ on:
 permissions:
   contents: read
 
-env:
-  # Map cron index → group name
-  SCHEDULE_GROUP: >-
-    ${{
-      github.event.inputs.schedule-group == 'all' && 'all' ||
-      github.event.inputs.schedule-group ||
-      (github.event.schedule == '0 3 * * *' && 'daily') ||
-      (github.event.schedule == '0 4 * * 0' && 'weekly-sun') ||
-      (github.event.schedule == '0 14 * * 3' && 'weekly-wed') ||
-      (github.event.schedule == '0 2 * * 4' && 'weekly-thu') ||
-      'all'
-    }}
-
 jobs:
+  # ── Gate: resolve which schedule group to run ───────────────────
+  gate:
+    name: "Resolve Schedule Group"
+    runs-on: ubuntu-latest
+    outputs:
+      group: ${{ steps.resolve.outputs.group }}
+    steps:
+      - name: Resolve schedule group
+        id: resolve
+        run: |
+          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+            GROUP="${{ github.event.inputs.schedule-group }}"
+          elif [[ "${{ github.event.schedule }}" == "0 3 * * *" ]]; then
+            GROUP="daily"
+          elif [[ "${{ github.event.schedule }}" == "0 4 * * 0" ]]; then
+            GROUP="weekly-sun"
+          elif [[ "${{ github.event.schedule }}" == "0 14 * * 3" ]]; then
+            GROUP="weekly-wed"
+          elif [[ "${{ github.event.schedule }}" == "0 2 * * 4" ]]; then
+            GROUP="weekly-thu"
+          else
+            GROUP="all"
+          fi
+          echo "group=$GROUP" >> "$GITHUB_OUTPUT"
+          echo "### Schedule Group: \`$GROUP\`" >> "$GITHUB_STEP_SUMMARY"
+
   # ╔════════════════════════════════════════════════════════════════╗
   # ║  Daily Jobs                                                    ║
   # ╚════════════════════════════════════════════════════════════════╝
 
   stale:
     name: "Stale Issues & PRs"
-    if: contains(fromJSON('["daily","all"]'), env.SCHEDULE_GROUP)
+    needs: gate
+    if: contains(fromJSON('["daily","all"]'), needs.gate.outputs.group)
     runs-on: ubuntu-latest
     permissions:
       issues: write
@@ -82,7 +96,8 @@ jobs:
 
   docker-images:
     name: "Docker Image Rebuild"
-    if: contains(fromJSON('["daily","all"]'), env.SCHEDULE_GROUP)
+    needs: gate
+    if: contains(fromJSON('["daily","all"]'), needs.gate.outputs.group)
     uses: ./.github/workflows/images4docker-build.yml
     permissions:
       contents: read
@@ -91,7 +106,8 @@ jobs:
 
   mnv-coverity:
     name: "MNV Coverity Scan"
-    if: contains(fromJSON('["daily","all"]'), env.SCHEDULE_GROUP)
+    needs: gate
+    if: contains(fromJSON('["daily","all"]'), needs.gate.outputs.group)
     uses: ./.github/workflows/mnv-coverity.yml
     secrets: inherit
 
@@ -101,13 +117,15 @@ jobs:
 
   mnv-link-check:
     name: "MNV Link Check"
-    if: contains(fromJSON('["weekly-sun","all"]'), env.SCHEDULE_GROUP)
+    needs: gate
+    if: contains(fromJSON('["weekly-sun","all"]'), needs.gate.outputs.group)
     uses: ./.github/workflows/mnv-link-check.yml
     secrets: inherit
 
   scorecard:
     name: "OpenSSF Scorecard"
-    if: contains(fromJSON('["weekly-sun","all"]'), env.SCHEDULE_GROUP)
+    needs: gate
+    if: contains(fromJSON('["weekly-sun","all"]'), needs.gate.outputs.group)
     uses: ./.github/workflows/repo-scorecards.yml
     permissions:
       contents: read
@@ -121,8 +139,9 @@ jobs:
 
   meshmc-flake-update:
     name: "MeshMC Nix Flake Update"
+    needs: gate
     if: >-
-      contains(fromJSON('["weekly-sun","all"]'), env.SCHEDULE_GROUP) &&
+      contains(fromJSON('["weekly-sun","all"]'), needs.gate.outputs.group) &&
       github.repository_owner == 'Project-Tick'
     uses: ./.github/workflows/meshmc-flake-update.yml
     permissions:
@@ -132,7 +151,8 @@ jobs:
 
   mnv-codeql:
     name: "MNV CodeQL"
-    if: contains(fromJSON('["weekly-sun","all"]'), env.SCHEDULE_GROUP)
+    needs: gate
+    if: contains(fromJSON('["weekly-sun","all"]'), needs.gate.outputs.group)
     uses: ./.github/workflows/mnv-codeql.yml
     permissions:
       contents: read
@@ -141,7 +161,8 @@ jobs:
 
   neozip-codeql:
     name: "NeoZip CodeQL"
-    if: contains(fromJSON('["weekly-sun","all"]'), env.SCHEDULE_GROUP)
+    needs: gate
+    if: contains(fromJSON('["weekly-sun","all"]'), needs.gate.outputs.group)
     uses: ./.github/workflows/neozip-codeql.yml
     permissions:
       contents: read
@@ -154,7 +175,8 @@ jobs:
 
   json4cpp-flawfinder:
     name: "JSON4CPP Flawfinder"
-    if: contains(fromJSON('["weekly-wed","all"]'), env.SCHEDULE_GROUP)
+    needs: gate
+    if: contains(fromJSON('["weekly-wed","all"]'), needs.gate.outputs.group)
     uses: ./.github/workflows/json4cpp-flawfinder.yml
     permissions:
       contents: read
@@ -168,7 +190,8 @@ jobs:
 
   json4cpp-semgrep:
     name: "JSON4CPP Semgrep"
-    if: contains(fromJSON('["weekly-thu","all"]'), env.SCHEDULE_GROUP)
+    needs: gate
+    if: contains(fromJSON('["weekly-thu","all"]'), needs.gate.outputs.group)
     uses: ./.github/workflows/json4cpp-semgrep.yml
     permissions:
       contents: read
@@ -184,6 +207,7 @@ jobs:
     name: "Schedule Verdict"
     if: always()
     needs:
+      - gate
       - stale
       - docker-images
       - mnv-coverity
@@ -200,7 +224,7 @@ jobs:
         run: |
           set -euo pipefail
 
-          echo "## Scheduled CI Report — ${{ env.SCHEDULE_GROUP }}" >> "$GITHUB_STEP_SUMMARY"
+          echo "## Scheduled CI Report — ${{ needs.gate.outputs.group }}" >> "$GITHUB_STEP_SUMMARY"
           echo "" >> "$GITHUB_STEP_SUMMARY"
           echo "| Job | Result |" >> "$GITHUB_STEP_SUMMARY"
           echo "|-----|--------|" >> "$GITHUB_STEP_SUMMARY"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c0dde03ab0..248eccd01f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -282,6 +282,8 @@ jobs:
     uses: ./.github/workflows/neozip-ci.yml
     permissions:
       contents: read
+      actions: read
+      security-events: write
     secrets: inherit
 
   # ── C++ / Library Projects ──────────────────────────────────────
author	Mehmet Samet Duman <yongdohyun@projecttick.org>	2026-04-04 19:52:56 +0300
committer	Mehmet Samet Duman <yongdohyun@projecttick.org>	2026-04-04 19:52:56 +0300
commit	e7c29e7b774c6c6db3ebfe261dfc7ec3c77550e0 (patch)
tree	56ac41f12f415efaac59c0b6c02e6a09b1eec20a /.github
parent	8d0d919fbf43230148da7533519ed0ffdfaa4197 (diff)
download	Project-Tick-e7c29e7b774c6c6db3ebfe261dfc7ec3c77550e0.tar.gz Project-Tick-e7c29e7b774c6c6db3ebfe261dfc7ec3c77550e0.zip