From ba60441ef603b17d0e525ed7a186469fd1cdd725 Mon Sep 17 00:00:00 2001
From: David Waltermire <davewaltermire@gmail.com>
Date: Thu, 14 May 2026 19:24:19 -0400
Subject: [PATCH] ci: fix scheduled-build permissions and expose
 workflow_dispatch inputs

The reusable build.yml workflow's nested jobs request actions: read,
security-events: write, packages: write, attestations: write, and
id-token: write. When called from scheduled-build.yml without an
explicit permissions block on the caller job, the caller granted none
of these and GitHub rejected the workflow as invalid.

Declare the union of required permissions on the nightly job so the
reusable workflow can run.

Also allow ref, skip_code_scans, and skip_linkcheck to be overridden
when the workflow is run manually via workflow_dispatch. Scheduled
runs continue to use the previous hardcoded values (ref=develop,
skip_code_scans=true, skip_linkcheck=true).

For the boolean inputs, use `github.event_name == 'schedule' ||
inputs.X` so scheduled runs always pass true while dispatch runs
honor the user's selection (the simpler `|| true` fallback would
clobber a user-supplied false because false is falsy in expressions).
---
 .github/workflows/scheduled-build.yml | 33 +++++++++++++++++++++------
 1 file changed, 26 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/scheduled-build.yml b/.github/workflows/scheduled-build.yml
index 0a9cdcd..a8d7704 100644
--- a/.github/workflows/scheduled-build.yml
+++ b/.github/workflows/scheduled-build.yml
@@ -4,15 +4,34 @@ on:
     # Nightly build at 4:00 AM UTC (after liboscal-java)
     - cron: '0 4 * * *'
   workflow_dispatch:
-permissions:
-  actions: read
-  contents: write
-  security-events: write
+    inputs:
+      ref:
+        description: 'Git ref to checkout (branch, tag, or SHA)'
+        required: false
+        default: 'develop'
+        type: string
+      skip_code_scans:
+        description: 'Skip CodeQL and Trivy security scans'
+        required: false
+        default: true
+        type: boolean
+      skip_linkcheck:
+        description: 'Skip website link checker'
+        required: false
+        default: true
+        type: boolean
 jobs:
   nightly:
+    permissions:
+      actions: read
+      contents: write
+      security-events: write
+      packages: write
+      attestations: write
+      id-token: write
     uses: ./.github/workflows/build.yml
     with:
-      ref: develop
-      skip_code_scans: true
-      skip_linkcheck: true
+      ref: ${{ inputs.ref || 'develop' }}
+      skip_code_scans: ${{ github.event_name == 'schedule' || inputs.skip_code_scans }}
+      skip_linkcheck: ${{ github.event_name == 'schedule' || inputs.skip_linkcheck }}
     secrets: inherit