fix(ci): propagate reusable workflow permissions at caller scope

[Mehdi-Bl]

Summary

• set required token permissions at workflow scope for reusable manual review wrappers
• add targeted zizmor inline suppressions for caller-level excessive-permissions
• remove redundant job-level permission blocks

Why

Manual dispatch runs were failing at startup before jobs executed, indicating permission propagation issues for reusable workflows.

Validation

• CI gates on this PR
• manual dispatch of both review workflows after merge

Summary by Sourcery

CI:

• Set pull-requests, issues, and id-token permissions at workflow scope for manual Claude and Opencode review workflows and add inline zizmor suppressions for their required elevated permissions.

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Sets required GitHub token permissions at the workflow (caller) level for the manual review reusable workflows, adds targeted zizmor suppressions to justify these elevated permissions, and removes now-redundant job-level permission blocks so that permissions propagate correctly to the reusable workflows.

Sequence diagram for manual review workflow calling reusable workflow with propagated permissions

sequenceDiagram
  actor Dev as developer
  participant GH as github_actions
  participant Caller as caller_workflow_manual
  participant Reuse as reusable_review_workflow
  participant Azure as azure_oidc_target

  Dev->>GH: trigger workflow_dispatch
  GH->>Caller: start claude-review-manual or opencode-review-manual
  Caller->>Caller: apply workflow-level permissions
  Caller->>Reuse: call reusable workflow with inherited token
  Reuse->>GH: use token with contents read
  Reuse->>GH: use token with pull-requests write and issues write
  Reuse->>Azure: perform oidc login with id-token write
  Reuse-->>GH: complete review jobs
  GH-->>Dev: report workflow status

Loading

Flow diagram for GitHub Actions permission definition after CI fix

flowchart TD
  A[Manual dispatch of claude-review-manual or opencode-review-manual] --> B[Evaluate workflow-level permissions]
  B --> C{Permissions sufficient
for reusable workflow?}
  C -- Yes --> D[Call reusable review workflow
with inherited token]
  C -- No (previous behavior) --> E[Startup failure before jobs execute]
  D --> F[Reusable workflow performs PR and issue operations]
  D --> G[Reusable workflow performs Azure OIDC login]
  F --> H[Review jobs complete]
  G --> H
  H --> I[Workflow succeeds]

  subgraph After_Change
    B
    C
    D
    F
    G
    H
    I
  end

  subgraph Before_Change
    A
    E
  end

Loading

File-Level Changes

Change	Details	Files
Move token permissions from job scope to workflow (caller) scope for the manual Claude review workflow and document why elevated permissions are required.	Define permissions.contents=read, permissions.pull-requests=write, permissions.issues=write, and permissions.id-token=write at the top-level workflow permissions block Annotate pull-requests and issues permissions with zizmor inline suppressions for excessive-permissions, referencing their requirement for the reusable review workflow Annotate id-token permission with a zizmor inline suppression explaining it is needed for Azure OIDC login Remove the claude-review job-level permissions block so it inherits from the workflow-level settings	.github/workflows/claude-review-manual.yml
Align the manual OpenCode review workflow with the new caller-scope permissions pattern and clean up redundant job-level permissions.	Define permissions.contents=read, permissions.pull-requests=write, permissions.issues=write, and permissions.id-token=write at the top-level workflow permissions block Annotate pull-requests and issues permissions with zizmor inline suppressions for excessive-permissions, referencing their requirement for the reusable review workflow Annotate id-token permission with a zizmor inline suppression explaining it is needed for Azure OIDC login Remove the opencode-review job-level permissions block so it inherits from the workflow-level settings	.github/workflows/opencode-review-manual.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[qodo-free-for-open-source-projects]

Review Summary by Qodo

Fix permission propagation for reusable review workflows

🐞 Bug fix

Walkthroughs

Description

• Move permissions from job-level to workflow-level scope
• Add zizmor inline suppressions for excessive-permissions warnings
• Fix permission propagation for reusable manual review workflows

Diagram

flowchart LR
  A["Job-level permissions"] -->|Move to| B["Workflow-level permissions"]
  B -->|Add suppressions| C["zizmor ignore annotations"]
  C -->|Enable| D["Reusable workflow access"]

Loading

File Changes

1. .github/workflows/claude-review-manual.yml 🐞 Bug fix +3/-5

Move permissions to workflow scope with suppressions

• Moved pull-requests: write, issues: write, and id-token: write permissions from job-level to
 workflow-level scope
• Added zizmor: ignore[excessive-permissions] inline comments for each permission
• Removed redundant job-level permissions block

.github/workflows/claude-review-manual.yml

---

2. .github/workflows/opencode-review-manual.yml 🐞 Bug fix +3/-5

Move permissions to workflow scope with suppressions

• Moved pull-requests: write, issues: write, and id-token: write permissions from job-level to
 workflow-level scope
• Added zizmor: ignore[excessive-permissions] inline comments for each permission
• Removed redundant job-level permissions block

.github/workflows/opencode-review-manual.yml

---

[sourcery-ai]

Hey - I've left some high level feedback:

• Since both workflows now require the same elevated permissions, consider adding a brief shared comment (or central configuration for zizmor) explaining why these scopes are needed instead of repeating inline suppressions on each permission field.
• If id-token: write is only needed for Azure OIDC within specific reusable workflow steps, consider whether it can be scoped more narrowly (e.g., only for those workflows or jobs) to reduce the default token surface.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Since both workflows now require the same elevated permissions, consider adding a brief shared comment (or central configuration for zizmor) explaining why these scopes are needed instead of repeating inline suppressions on each permission field.
- If `id-token: write` is only needed for Azure OIDC within specific reusable workflow steps, consider whether it can be scoped more narrowly (e.g., only for those workflows or jobs) to reduce the default token surface.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[qodo-free-for-open-source-projects]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. Workflow-wide elevated perms 🐞 Bug ⛨ Security

Description

These manual workflows now grant pull-requests: write, issues: write, and id-token: write at
workflow scope, so any future jobs added to the workflow will inherit these elevated permissions by
default. This is a wider blast radius than the repo’s existing pattern of scoping elevated
permissions at the job level.

Code

.github/workflows/claude-review-manual.yml[R16-20]

permissions:
  contents: read
+  pull-requests: write # zizmor: ignore[excessive-permissions] required for reusable review workflow
+  issues: write # zizmor: ignore[excessive-permissions] required for reusable review workflow
+  id-token: write # zizmor: ignore[excessive-permissions] required for Azure OIDC login

Evidence

claude-review-manual.yml and opencode-review-manual.yml set elevated permissions at workflow
scope. In contrast, sonarcloud.yml sets permissions: {} at the workflow scope and applies
elevated permissions only within the specific job that needs them, limiting the impact to that job.

.github/workflows/claude-review-manual.yml[16-24]
.github/workflows/opencode-review-manual.yml[31-39]
.github/workflows/sonarcloud.yml[9-19]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The manual review workflows now grant elevated `GITHUB_TOKEN` permissions at the workflow level (`pull-requests: write`, `issues: write`, `id-token: write`). This means any new jobs added later will inherit these permissions by default, increasing blast radius.

### Issue Context
The repo already uses a safer pattern elsewhere (e.g., `sonarcloud.yml`): set `permissions: {}` at workflow scope and then grant elevated permissions only on the job that needs them.

### Fix Focus Areas
- .github/workflows/claude-review-manual.yml[16-24]
- .github/workflows/opencode-review-manual.yml[31-39]
- .github/workflows/sonarcloud.yml[9-19]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more