fix(core): pass --ref to gh workflow run in tagger dispatch

packages/core/src/tagger-workflow.ts

@@ -127,8 +127,11 @@ export function buildTaggerWorkflow(input: BuildTaggerWorkflowInput): string {
     `          # Label-add via GITHUB_TOKEN does not fire \`issues.labeled\`,`,
     `          # so the first stage's workflow will not auto-trigger from`,
     `          # the label alone. Dispatch it explicitly via workflow_dispatch.`,
+    `          # Pass --ref so gh doesn't query the default branch via`,
+    `          # GraphQL (would require contents:read, which this job omits).`,
     `          gh workflow run "${firstStageFilename}" \\`,
     `            --repo "\${{ github.repository }}" \\`,
+    `            --ref "\${{ github.event.repository.default_branch }}" \\`,
     `            --field issue_number="\${{ github.event.issue.number }}"`,
     ``,
   ].join('\n');

packages/core/tests/tagger-workflow.test.ts

@@ -33,6 +33,20 @@ describe('buildTaggerWorkflow', () => {
     expect(yaml).toContain('actions: write');
   });
 
+  it('passes --ref to the dispatch so gh does not need contents:read', () => {
+    // Live observation from flowhunt-amicited install: without --ref, gh
+    // CLI tries to resolve the default branch via GraphQL
+    // (repository.defaultBranchRef), which fails with "Resource not
+    // accessible by integration" because the tagger job only requests
+    // issues:write + actions:write. Sourcing the branch from the event
+    // payload keeps the token scope minimal.
+    const yaml = buildTaggerWorkflow({
+      firstStage: firstStage(),
+      filter: { kind: 'none' },
+    });
+    expect(yaml).toContain('--ref "${{ github.event.repository.default_branch }}"');
+  });
+
   it('computes the dispatch target filename from the stage id (not the runner workflowPath)', () => {
     // Sanity: the tagger uses the convention `harnext-<id>.yml`,
     // which is also what the setup wizard writes to. This keeps the