ci: fix scheduled-build permissions and expose workflow_dispatch inputs

[david-waltermire]

Summary

• Declare the union of required permissions (actions: read, contents: write, security-events: write, packages: write, attestations: write, id-token: write) on the nightly caller job so the reusable build.yml can run. Without this, GitHub rejected the workflow because the called jobs request more permissions than the caller granted.
• Expose ref, skip_code_scans, and skip_linkcheck as workflow_dispatch inputs so manual runs can override them. Scheduled runs keep the existing hardcoded behavior (develop, both skips true) via a github.event_name == 'schedule' || inputs.X guard that avoids the falsy-default trap of || true.

Targets main because scheduled workflows only fire from the default branch. Mirrors the equivalent fix in metaschema-framework/metaschema-java#722.

Test plan

• After merge, trigger the workflow via workflow_dispatch and confirm it starts cleanly
• Confirm the next scheduled (4:00 AM UTC) run executes without permission errors
• Verify workflow_dispatch inputs are visible and overridable from the Actions UI

Summary by CodeRabbit

• New Features

  • Scheduled build workflow can be manually triggered with configurable inputs (branch/ref, toggle code scans, toggle link checks).
  • Manual triggers respect provided inputs while scheduled runs keep defaults.

• Chores

  • Build pipeline permissions moved to job-level and expanded to include additional write permissions for package/attestation/token-related actions.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 624b207c-92c4-483d-ae04-c36aecb7c8f9

📥 Commits

Reviewing files that changed from the base of the PR and between 327dc1a and ba60441.

📒 Files selected for processing (1)

• .github/workflows/scheduled-build.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/scheduled-build.yml

---

📝 Walkthrough

Walkthrough

The scheduled GitHub Actions workflow .github/workflows/scheduled-build.yml now supports manual runs via workflow_dispatch with inputs ref, skip_code_scans, and skip_linkcheck; job-level nightly.permissions replace the removed workflow-level permissions; and the nightly job forwards conditional inputs to the reusable build.yml.

Changes

Scheduled build — dispatch, permissions, and wiring

Layer / File(s)	Summary
Dispatch inputs & trigger .github/workflows/scheduled-build.yml	Adds workflow_dispatch inputs: ref (string, default develop), skip_code_scans (boolean, default true), and skip_linkcheck (boolean, default true) to allow manual runs and configuration.
Job-level permissions .github/workflows/scheduled-build.yml	Removes top-level permissions and adds jobs.nightly.permissions with actions: read, contents: write, security-events: write, and new write scopes: packages, attestations, id-token.
Reusable workflow wiring & conditional values .github/workflows/scheduled-build.yml	Updates jobs.nightly.with to use `${{ inputs.ref

Sequence Diagram

sequenceDiagram
  autonumber
  participant Developer as Developer
  participant GitHub as GitHub Actions
  participant Reusable as build.yml (reusable)
  participant Jobs as nightly job

  Developer->>GitHub: trigger workflow_dispatch (inputs: ref, skip_code_scans, skip_linkcheck)
  GitHub->>GitHub: evaluate github.event_name (schedule vs dispatch)
  GitHub->>Jobs: set job-level permissions (contents/packages/attestations/id-token/etc.)
  GitHub->>Reusable: call reusable workflow with computed `with` inputs
  Reusable->>Jobs: run steps honoring skip flags

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• metaschema-framework/metaschema-java#722: Similar changes to scheduled-build.yml adding workflow_dispatch inputs and expanded job permissions.
• metaschema-framework/liboscal-java#251: Modifies scheduled build permissions and reusable-workflow wiring in the same workflow file.
• metaschema-framework/oscal-cli#235: Updates scheduled-build.yml permissions for the nightly build job.

Suggested reviewers

• aj-stein

Poem

🐇 A button for builds, a ref that I tuck,
Manual or nightly — the workflow's in luck.
Permissions aligned, inputs passed through,
The rabbit hops CI — clear, timely, and true. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and specifically describes the main changes: adding explicit permissions to the scheduled-build workflow and exposing workflow_dispatch inputs for manual execution.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}