ci: stop spawning schedule jobs on contributors' forks

[knocte]

Description

Stop spawning schedule jobs on contributors' forks, by filtering them by the github org name.

Motivation and Context

The schedule trigger for jobs is only useful for commitlint maintainers, not for contributor's forks, which might get outdated easily.

[qodo-code-review]

Review Summary by Qodo

Prevent scheduled CI jobs from running on contributor forks

✨ Enhancement

Walkthroughs

Description

• Add schedule job filtering to prevent execution on contributor forks
• Restrict scheduled workflows to official repository only
• Apply filter to build, codeQuality, and nodeJsBaselineAptCompatibility jobs

Diagram

flowchart LR
  A["Scheduled Workflow Trigger"] --> B["Check Event Type"]
  B --> C["Is Schedule Event?"]
  C -->|Yes| D["Verify Repository Owner"]
  D -->|Is conventional-changelog| E["Execute Job"]
  D -->|Not Owner| F["Skip Job"]
  C -->|No| G["Use Existing PR Filter"]
  G --> E

Loading

File Changes

1. .github/workflows/CI.yml ⚙️ Configuration changes +3/-3

Add schedule event filtering to CI workflow jobs

• Enhanced job condition filters to prevent scheduled jobs on contributor forks
• Added repository owner check (github.repository_owner == 'conventional-changelog') for schedule
 events
• Applied updated condition to three jobs: build, codeQuality, and
 nodeJsBaselineAptCompatibility
• Maintains existing pull request fork filtering while adding schedule-specific protection

.github/workflows/CI.yml

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. Schedule allowlist too broad 🐞 Bug ⛨ Security

Description

The new schedule guard uses github.repository_owner == 'conventional-changelog', which permits
scheduled CI to run on any repository owned by that org (including org-internal forks or other repos
that copy this workflow) rather than only the canonical repo. This is inconsistent with other
workflows in this repo that scope scheduled/privileged jobs to `github.repository ==
'conventional-changelog/commitlint'` and can re-enable schedules where they were intended to be
blocked.

Code

.github/workflows/CI.yml[18]

+    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.repository) && (github.event_name != 'schedule' || github.repository_owner == 'conventional-changelog')

Evidence

CI.yml’s new condition gates schedules by owner only, while other workflows with schedule/privileged
behavior gate by the exact repo full_name, indicating the intended restriction is to the canonical
repo rather than the whole org.

.github/workflows/CI.yml[16-18]
.github/workflows/container-build.yml[12-14]
.github/workflows/docs-deploy.yml[18-23]
.github/workflows/docs-deploy.yml[51-54]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
Scheduled CI jobs are currently allowlisted by `github.repository_owner`, which is broader than necessary and inconsistent with other workflows in this repo.
### Issue Context
Other workflows (e.g., container build, docs deploy) restrict privileged/scheduled execution to the canonical repository using `github.repository == 'conventional-changelog/commitlint'`.
### Fix Focus Areas
- .github/workflows/CI.yml[16-18]
- .github/workflows/CI.yml[42-45]
- .github/workflows/CI.yml[64-67]
### Suggested change
Update the schedule clause to check the full repository name, e.g.:

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

[Copilot]

Pull request overview

This PR updates the main CI GitHub Actions workflow to avoid running scheduled CI jobs on contributor forks by gating scheduled runs to the conventional-changelog org.

Changes:

• Add a schedule-specific guard to the if: condition for each CI job.
• Keep existing pull-request fork logic intact while preventing schedule jobs from executing on forks.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.