[plan] Fix missing permissions declarations in example-permissions-warning and copilot-request workflows

[github-actions]

Objective

Fix the 3 permissions actionlint findings in workflows that are missing required write permissions, as reported in discussion #18283.

Context

Actionlint reported 3 permissions issues:

• 1 in example-permissions-warning.md
• 2 in copilot-request workflows

These workflows perform operations that require write permissions but don't declare them in their frontmatter, which can cause runtime failures.

• Tool: actionlint
• Count: 3
• Affected: example-permissions-warning.md (×1) + copilot-request workflows (×2)

Approach

1. Run actionlint locally to identify the exact missing permissions:

   actionlint .github/workflows/example-permissions-warning.lock.yml
   # Also check compiled lock files for copilot-request workflows
   actionlint .github/workflows/copilot-request*.lock.yml

2. For each affected .md workflow file, add the missing permissions to the frontmatter:

   ---
   permissions:
     issues: write      # example: if workflow creates/updates issues
     pull-requests: write  # example: if workflow interacts with PRs
   ---

3. Use the principle of least privilege — only add the specific permissions that are actually needed

4. Run make recompile to regenerate .lock.yml files

5. Run make agent-finish to validate

6. Re-run actionlint to confirm the permissions findings are resolved

Files to Modify

• .github/workflows/example-permissions-warning.md — add missing write permission
• Copilot-request workflow .md files — add missing write permissions

Acceptance Criteria

• All 3 actionlint permissions findings are resolved
• Permissions added follow least-privilege principle (only what's needed)
• make recompile succeeds
• make agent-finish passes
• actionlint reports 0 permissions findings for affected workflows

Generated by Plan Command for issue #discussion #18283

• expires on Feb 27, 2026, 6:53 AM UTC