ci: move permissions from job to workflow level

[shimomo]

ワークフロー全体にパーミッション設定を移動しました。

Summary by CodeRabbit

• チョア
  • CIワークフローの権限定義をワークフロー全体のトップレベルに移動し、一貫性と可読性を向上。
  • 各ジョブ内の重複する権限定義を削除して設定管理を簡素化。
  • アプリの機能や動作への影響はありません。

[coderabbitai]

Walkthrough

2つのGitHub Actionsワークフロー（.github/workflows/keepalive.yml と .github/workflows/test.yml）で、ジョブ単位の permissions 宣言を削除し、同等または部分的に異なる権限をワークフロー最上位の permissions に移動。処理内容やステップは変更なし。

Changes

Cohort / File(s)	Change Summary
Workflow permissions moved — keepalive .github/workflows/keepalive.yml	ジョブ内の permissions: actions: write を削除し、同内容の permissions: actions: write をワークフローのトップレベルに追加。ワークフローのステップやロジックは不変。
Workflow permissions moved/modified — test .github/workflows/test.yml	ジョブ内の permissions: contents: read と id-token: write を削除し、トップレベルに permissions: contents: read を追加。id-token: write はトップレベルに移設されていない（削除）。ステップやロジックは不変。

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

ぴょんと飛んでYAMLなお庭で、
権限を上へぽんと運んだよ。
ステップはそのまま、変わらぬ踊り、
にんじん片手にチェックするぼく、
今日もCIは静かに回るよ 🥕

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 217705c and fda0b39.

📒 Files selected for processing (1)

• .github/workflows/test.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/test.yml

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch refactor/move-permissions

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

.github/workflows/test.yml (1)

12-14: 最小権限へ調整: id-token: write は現状不要そうです

このワークフロー内でOIDC（例: aws-actions/configure-aws-credentials 等）は未使用のため、id-token: write をworkflow全体に付与する必要はなさそうです。将来OIDCが必要になった場合は、そのジョブにのみJob単位で付与してください。workflowトップで権限を広げると、将来追加される全ジョブに波及します。

提案diff:

 permissions:
   contents: read
-  id-token: write

.github/workflows/keepalive.yml (1)

12-14: 妥当: gh workflow enable 用の actions: write 付与。ただし意図コメントの追記を推奨

gh workflow enable には actions: write が必要なため設定は妥当です。将来の保守性向上のため、意図をコメントで明示しておくと安心です（他ジョブ追加時は、不要ならジョブ側でより厳しく上書きしてください）。

 permissions:
+  # gh workflow enable コマンドに必要
   actions: write

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 9524c34 and 217705c.

📒 Files selected for processing (2)

• .github/workflows/keepalive.yml (1 hunks)
• .github/workflows/test.yml (1 hunks)