ci: require detect-changes success in final checks aggregation

The checks job used if:always() plus shell-level result inspection of
doc and the three test jobs, treating skipped as non-fatal to preserve
intentional [doc-only] skips. detect-changes is a needs prerequisite
of every test job but was absent from checks.needs, so a failure in
the gating step silently cascaded into test-job skips and a green
final status.

Add detect-changes to checks.needs and require its result to be
success. The legitimate doc-only skip path is unaffected because that
leaves detect-changes itself successful.

Author: cpcloud

.github/workflows/ci.yml

@@ -379,6 +379,7 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - should-skip
+      - detect-changes
       - test-linux-64
       - test-linux-aarch64
       - test-windows
@@ -405,7 +406,16 @@ jobs:
           #
           # Note: When [doc-only] is in PR title, test jobs are intentionally
           # skipped and should not cause failure.
+          #
+          # detect-changes gates whether heavy test matrices run at all; if it
+          # does not succeed, downstream test jobs are skipped rather than
+          # failed, which would otherwise go unnoticed here. Require its
+          # success explicitly so a broken gating step cannot masquerade as a
+          # green CI run.
           doc_only=${{ needs.should-skip.outputs.doc-only }}
+          if ${{ needs.detect-changes.result != 'success' }}; then
+            exit 1
+          fi
           if ${{ needs.doc.result == 'cancelled' || needs.doc.result == 'failure' }}; then
             exit 1
           fi