ci: do not skip detect-changes on pull requests

[pkuczynski]

No description provided.

[qodo-free-for-open-source-projects]

Review Summary by Qodo

Enable detect-changes job to run on all pull requests

✨ Enhancement

Walkthroughs

Description

• Remove conditional skip of detect-changes job on pull requests
• Allow detect-changes to run for all pull request events
• Simplify workflow condition logic by removing fork check

Diagram

flowchart LR
  A["GitHub Workflow Event"] --> B["detect-changes Job"]
  C["Previous: Skip on PR unless fork"] -.->|removed| B
  D["New: Always run on PR"] -->|enabled| B

Loading

File Changes

1. .github/workflows/tests.yml ⚙️ Configuration changes +0/-1

Remove pull request skip condition from detect-changes

• Removed conditional if statement that skipped detect-changes job on pull requests
• Job now runs for all pull request events without fork repository check
• Simplifies workflow logic by removing the fork condition filter

.github/workflows/tests.yml

---

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[qodo-free-for-open-source-projects]

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. detect-changes failure masked 🐞 Bug ✓ Correctness

Description

If detect-changes fails, all jobs that needs: detect-changes will be skipped, but the final
all-passed job can still exit 0 because it does not include detect-changes in its needs list.
Now that detect-changes runs on same-repo PRs too, this can produce false-green PR checks even
when change detection is broken.

Code

.github/workflows/tests.yml[R13-16]

  detect-changes:
    runs-on: ubuntu-latest
-    if: ${{ (github.event_name != 'pull_request') || (github.event.pull_request.head.repo.fork) }}
    outputs:
      changes: ${{ steps.detect-changes.outputs.changes }}

Evidence

all-passed aggregates only the results of jobs in its needs: array; detect-changes is not
included. Meanwhile, essentially all meaningful jobs depend on detect-changes, so a failure there
prevents the rest of the workflow from running and can be silently treated as success by
all-passed.

.github/workflows/tests.yml[13-17]
.github/workflows/tests.yml[56-59]
.github/workflows/tests.yml[152-164]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`all-passed` can report success even if `detect-changes` fails, because `detect-changes` is not part of `all-passed.needs`.

### Issue Context
Most jobs depend on `detect-changes`; when it fails, they will skip. `all-passed` only checks failures among its `needs` jobs, so it may not detect the root failure.

### Fix Focus Areas
- .github/workflows/tests.yml[152-164]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Missing explicit workflow permissions 🐞 Bug ⛨ Security

Description

With detect-changes no longer skipped on same-repo PRs, this workflow will now run for internal
pull requests too, but it does not set any explicit permissions:. That makes the workflow’s token
capabilities depend on repo/org defaults and increases the blast radius if defaults are broader than
needed.

Code

.github/workflows/tests.yml[R13-16]

  detect-changes:
    runs-on: ubuntu-latest
-    if: ${{ (github.event_name != 'pull_request') || (github.event.pull_request.head.repo.fork) }}
    outputs:
      changes: ${{ steps.detect-changes.outputs.changes }}

Evidence

tests.yml runs on pull_request and has no explicit permissions: block, while other workflows
in this repo do explicitly scope permissions (suggesting least-privilege is an established practice
here). As this workflow executes third-party actions and project scripts on PRs, explicitly scoping
GITHUB_TOKEN permissions reduces accidental privilege exposure and makes behavior consistent
across settings.

.github/workflows/tests.yml[1-7]
.github/workflows/tests.yml[13-22]
.github/workflows/pull-request.yml[14-20]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The workflow runs on `pull_request` but does not explicitly scope `GITHUB_TOKEN` permissions.

### Issue Context
Other workflows in the repo explicitly set `permissions:`, indicating a least-privilege approach. With this workflow now running on same-repo PRs as well, relying on repo/org defaults is riskier and less predictable.

### Fix Focus Areas
- .github/workflows/tests.yml[1-25]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[coveralls]

coverage: 80.291%. remained the same
when pulling e0e3e39 on pkuczynski-patch-1
into b3a27e5 on master.

[alumni]

I think we could to fix a few more things while we are at it:

• nightly publish pipeline runs on forks
• docs publishing runs on forks

Not sure about coverage, for me it works and I am using it, I don't remember if I set it up or it just worked, I've had it for many years.

[alumni]

@pkuczynski @G0maa I think this was our only check that was preventing running the workflows twice in this repo (if the contributor is pushing to this repo, not to their fork).

We could also just block push access for contributors 🤷🏻

Later edit: I see that now the tests are no longer running in forks (unless it's the master branch) - maybe the condition should've been slightly adjusted instead of removed. We want to run the actions in forks in any branch (so PR authors can test their changes without spamming us or running too many actions in our repo) + we want to run in PRs and in our master/version branches.