ci: declare least-privilege workflow-level contents: read

[arpitjain099]

Hardens 3 workflow(s) in this repo by declaring a workflow-level permissions: contents: read. Today those workflows inherit the legacy broad read-write GITHUB_TOKEN; the read-only default reduces blast radius if any step is compromised.

I checked each file - they read the checkout and run tests/lints; no GitHub API writes (no gh pr/issue, no git push, no release/publish/comment actions). So behavior is unchanged.

Reference: the tj-actions/changed-files compromise (CVE-2025-30066) is the canonical reason to apply least-privilege defaults.

[davsclaus]

Thanks for the security hardening effort — least-privilege workflow tokens are a great practice, especially after the tj-actions incident.

However, two of the three workflows perform write operations that will break with only contents: read, because all unspecified permissions default to none when any permissions: key is declared.

pr-commenter.yml calls github.rest.issues.createComment() (line 87) to post a welcome comment, and downloads artifacts via the Actions API. It needs pull-requests: write and actions: read.

pr-labeler.yml uses actions/labeler (line 67) to add labels to PRs, and also downloads artifacts. It needs pull-requests: write and actions: read.

pr-id.yml is fine with just contents: read — it only checks out code and uploads an artifact.

For pr-commenter.yml and pr-labeler.yml, the permissions block should be:

permissions:
  contents: read
  pull-requests: write
  actions: read

This review covers project conventions and correctness. It does not replace specialized review tools such as CodeRabbit, Sourcery, or SonarCloud.

This review was generated by an AI agent and may contain inaccuracies. Please verify all suggestions before applying.

[davsclaus]

The requested changes have been correctly applied — all three workflows now declare the right permissions:

• pr-id.yml: contents: read (checkout + upload artifact only)
• pr-commenter.yml: contents: read + pull-requests: write + actions: read (artifact download + PR comment)
• pr-labeler.yml: contents: read + pull-requests: write + actions: read (artifact download + PR labeling)

Thanks for addressing the feedback promptly.

This review was generated by an AI agent and may contain inaccuracies. Please verify all suggestions before applying.

[github-actions]

🌟 Thank you for your contribution to the Apache Camel project! 🌟
🤖 CI automation will test this PR automatically.

🐫 Apache Camel Committers, please review the following items:

• First-time contributors require MANUAL approval for the GitHub Actions to run
• You can use the command /component-test (camel-)component-name1 (camel-)component-name2.. to request a test from the test bot although they are normally detected and executed by CI.
• You can label PRs using skip-tests and test-dependents to fine-tune the checks executed by this PR.
• Build and test logs are available in the summary page. Only Apache Camel committers have access to the summary.

⚠️ Be careful when sharing logs. Review their contents before sharing them publicly.