Update actions permissions

[strawgate]

Summary

• Adds explicit actions: read permissions to trigger workflows and gh-agent-workflows/*/example.yml templates.
• Tightens PR Review workflow auth by validating COPILOT_GITHUB_TOKEN and using that secret for Copilot runs.
• Removes copilot-requests feature usage and drops redundant S2STOKENS environment variables.
• Extends secret redaction and run metadata to include COPILOT_GITHUB_TOKEN verification results.

Why this change

These updates make workflow permissions and authentication paths explicit and consistent, reducing implicit token behavior and improving security posture for automation runs.

Scope notes

• The .github/workflows/gh-aw-pr-review.lock.yml updates are generated lockfile changes that reflect the source updates in .github/workflows/gh-aw-pr-review.md and related workflow config.

Generated by Update PR Body for issue #400

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1a47284 and a1d2ccb.

📒 Files selected for processing (28)

• .github/workflows/gh-aw-pr-review.lock.yml
• .github/workflows/gh-aw-pr-review.md
• .github/workflows/trigger-bug-exterminator.yml
• .github/workflows/trigger-bug-hunter.yml
• .github/workflows/trigger-code-duplication-fixer.yml
• .github/workflows/trigger-code-simplifier.yml
• .github/workflows/trigger-downstream-health.yml
• .github/workflows/trigger-newbie-contributor-fixer.yml
• .github/workflows/trigger-pr-review.yml
• .github/workflows/trigger-refactor-opportunist.yml
• .github/workflows/trigger-small-problem-fixer.yml
• .github/workflows/trigger-test-improver.yml
• .github/workflows/trigger-text-beautifier.yml
• gh-agent-workflows/bug-exterminator/example.yml
• gh-agent-workflows/bug-hunter/example.yml
• gh-agent-workflows/code-duplication-fixer/example.yml
• gh-agent-workflows/code-simplifier/example.yml
• gh-agent-workflows/downstream-health/example.yml
• gh-agent-workflows/issue-fixer/example.yml
• gh-agent-workflows/newbie-contributor-fixer/example.yml
• gh-agent-workflows/pr-review/example.yml
• gh-agent-workflows/refactor-opportunist/example.yml
• gh-agent-workflows/release-update/example.yml
• gh-agent-workflows/scheduled-audit/example.yml
• gh-agent-workflows/scheduled-fix/example.yml
• gh-agent-workflows/small-problem-fixer/example.yml
• gh-agent-workflows/test-improver/example.yml
• gh-agent-workflows/text-beautifier/example.yml

💤 Files with no reviewable changes (1)

• .github/workflows/gh-aw-pr-review.md

---

📝 Walkthrough

Walkthrough

Updates GitHub Actions workflows to add actions: read permission across multiple trigger and agent example files. Modifies the PR review lock workflow to migrate Copilot token handling from github.token to secrets.COPILOT_GITHUB_TOKEN with validation steps and secret redaction. Removes copilot-requests feature flag from PR review markdown configuration.

Changes

Cohort / File(s)	Summary
Copilot Token Secret Handling .github/workflows/gh-aw-pr-review.lock.yml	Migrated COPILOT_GITHUB_TOKEN usage from github.token to secrets.COPILOT_GITHUB_TOKEN, added validation step for token presence, removed S2STOKENS flag, updated secret redaction paths, and wired secret\_verification\_result outputs through agent steps.
Feature Flag Removal .github/workflows/gh-aw-pr-review.md	Removed features.copilot-requests: true configuration entry.
Actions Permission Additions .github/workflows/trigger-*.yml, gh-agent-workflows/*/example.yml	Added actions: read permission to 18 workflow files (bug-exterminator, bug-hunter, code-duplication-fixer, code-simplifier, downstream-health, issue-fixer, newbie-contributor-fixer, pr-review, refactor-opportunist, release-update, scheduled-audit, scheduled-fix, small-problem-fixer, test-improver, text-beautifier).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

Possibly related PRs

• Add PR Buildkite detective workflow #246: Both PRs touch Copilot secret handling and agent lock workflow wiring with COPILOT_GITHUB_TOKEN validation and redaction.
• Upgrade gh-aw compiler to v0.47.4 with inline prompts #240: Both PRs modify workflow logic around COPILOT_GITHUB_TOKEN—adding secret validation and migrating token usage from github.token to secrets.
• Add product-manager-impersonator and refactor-opportunist workflows #360: Both PRs modify GitHub Actions workflow wiring for Copilot tokens and permissions with token validation propagation.

Suggested reviewers

• github-actions

Poem

🐰 Tokens now secured in secrets we keep,
With validation steps standing guard while we sleep,
Actions gain permission to read what they need,
Workflows aligned as the permissions recede,
Safer workflows hop forth with each line we feed! 🔐✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Update actions permissions' directly and specifically describes the main change—adding 'actions: read' permission across multiple workflow files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch update-workflows-actions-read

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}