[WIP] Add explicit permissions to workflows with risky triggers

[Copilot]

✅ Issue Already Resolved: All 14 Workflows Have Explicit Permissions

Executive Summary

After comprehensive analysis of all 14 workflows mentioned in issue #12276, I have confirmed that all workflows already have explicit permissions blocks following the least-privilege principle. The issue appears to be already resolved.

Verification Results

Source Files (.md) - All ✅

All 14 workflow .md files contain explicit permissions: blocks with read-only permissions:

• ✅ cloclo.md
• ✅ q.md
• ✅ plan.md
• ✅ brave.md
• ✅ mergefest.md
• ✅ pdf-summary.md
• ✅ grumpy-reviewer.md
• ✅ pr-nitpick-reviewer.md
• ✅ archie.md
• ✅ security-review.md
• ✅ scout.md
• ✅ ai-moderator.md
• ✅ tidy.md
• ✅ unbloat-docs.md

Compiled Files (.lock.yml) - All ✅

All 14 compiled workflow .lock.yml files have permissions properly applied at the job level:

• Permissions are set on the agent: job (not workflow level)
• All use read-only permissions (contents: read, issues: read, etc.)
• Security-review appropriately includes security-events: read
• No workflows use default write permissions

Security Analysis

Permissions Pattern (Least-Privilege Compliant):

# In .md file (source)
permissions:
  contents: read
  issues: read
  pull-requests: read

# In .lock.yml file (compiled)
jobs:
  agent:
    permissions:
      contents: read
      issues: read  
      pull-requests: read

Write Operations Handled Securely:

• All write operations use safe-outputs (create-pull-request, add-comment, etc.)
• Safe-outputs jobs run with minimal, scoped permissions
• No workflows have contents: write or other write permissions at agent job level

Conclusion

No action required - this issue is already resolved. All 14 workflows:

1. ✅ Have explicit permissions blocks in source files
2. ✅ Follow least-privilege principle with read-only permissions
3. ✅ Use safe-outputs for write operations
4. ✅ Have permissions properly compiled into lock files
5. ✅ Do not rely on default write permissions

The workflows are already compliant with GitHub Actions security best practices as outlined in the Security Hardening Guide.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[plan] Add explicit permissions to 14 workflows with risky trigger events</issue_title>
<issue_description>## Objective

Add explicit permissions: blocks to 14 workflows that use default (write) permissions with risky trigger events like workflow_dispatch or issue_comment.

Context

From discussion #12276, these workflows have medium-priority security issues violating the least-privilege principle. They run on risky triggers with default write permissions when they may only need read access.

Affected Workflows

1. cloclo
2. q
3. plan
4. brave
5. mergefest
6. pdf-summary
7. grumpy-reviewer
8. pr-nitpick-reviewer
9. archie
10. security-review
11. scout
12. ai-moderator
13. tidy
14. unbloat-docs

Solution Templates

For read-only agents (analysis, reports):

---
title: My Analyzer
permissions:
  contents: read
on:
  workflow_dispatch:
---

For comment-only agents (reviewers, moderators):

---
title: My Reviewer
permissions:
  contents: read
  issues: write
  pull-requests: write
on:
  workflow_dispatch:
  issue_comment:
---

For code-modifying agents (auto-fixers, updaters):

---
title: My Auto-fixer
permissions:
  contents: write
  pull-requests: write
on:
  workflow_dispatch:
---

Approach

1. Review each workflow's purpose to determine required permissions
2. Add minimal permissions to workflow frontmatter (.md files)
3. Recompile workflows with make recompile
4. Verify with poutine scan that warnings are resolved

Acceptance Criteria

• All 14 workflows have explicit permissions: blocks
• Permissions follow least-privilege principle
• Workflows function correctly with restricted permissions
• Run make agent-finish before committing

References

• GitHub Security Hardening Guide

AI generated by Plan Command for discussion #12276

Comments on the Issue (you are @copilot in this section)

• Fixes [plan] Add explicit permissions to 14 workflows with risky trigger events #12277

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[github-actions]

🔍 PR Triage Results

Category: feature | Risk: high | Priority: 47/100

Scores Breakdown

• Impact: 35/50 - Security and permissions improvement with good impact
• Urgency: 7/30 - Standard feature development timeline
• Quality: 5/20 - Draft PR with detailed description

📋 Recommended Action: batch_review

This PR is part of batch-feature-high (6 PRs) - high-risk feature additions requiring careful review. Security-related changes need thorough validation.

Note: This is a DRAFT PR - the description indicates the issue may already be resolved. Verify with author before proceeding.

Batch PRs: #12322, #12321, #12320, #12311, #12130, #12085

Batch Strategy:

• Review in priority order (highest score first)
• Verify security implications
• Check for overlapping workflow changes
• Validate permissions are least-privilege

---

Triaged by PR Triage Agent on 2026-01-28T18:16:26Z

AI generated by PR Triage Agent