Fix excessive issues:write permission in speckit-dispatcher workflow

[Copilot]

Zizmor flagged issues: write at workflow level as excessive. The speckit-dispatcher workflow uses safe-outputs mechanism (create-issue, add-comment, link-sub-issue), which automatically generates separate jobs with write permissions. The main agent job only needs read access.

Changes

• Changed issues: write → issues: read in workflow frontmatter

Result

# Agent job (runs AI)
permissions:
  contents: read
  issues: read        # Changed from write
  pull-requests: read

# Safe-output jobs (auto-generated, unchanged)
create_issue:
  permissions:
    contents: read
    issues: write     # Compiler adds this automatically

add_comment:
  permissions:
    contents: read
    issues: write     # Compiler adds this automatically

Zizmor scan now passes. Agent runs with minimal permissions; write operations handled by compiler-generated safe-output jobs.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[plan] Fix High severity excessive permissions in speckit-dispatcher.md</issue_title>
<issue_description>## Objective

Reduce excessive issues: write permission in the speckit-dispatcher workflow to minimize attack surface.

Context

Zizmor flagged speckit-dispatcher.md (line 498) with High severity for granting overly broad issues: write permission at the workflow level. The workflow uses the safe-outputs mechanism for issue operations, which may not require direct write permissions.

Current State

permissions:
  contents: read
  issues: write      # ⚠️ Flagged as excessive
  pull-requests: read

Approach

1. Analyze speckit-dispatcher.md to determine if direct issues: write is needed
2. Check if workflow only uses safe-outputs.create-issue or safe-outputs.add-comment
3. If only commenting: Change to issues: read and rely on safe-outputs mechanism
4. If creating sub-issues: Document why issues: write is necessary and verify it's minimal

Files to Modify

• .github/workflows/speckit-dispatcher.md (permissions section, around line 498)

Testing

1. After changes, recompile: make recompile
2. Run zizmor scan: gh aw compile speckit-dispatcher --zizmor
3. Verify zizmor no longer flags the issue
4. Test workflow manually to ensure issue operations still work

Acceptance Criteria

• Permissions reduced to minimum required scope
• Zizmor no longer reports High severity finding
• Workflow functionality verified (can still create/comment on issues via safe-outputs)
• Changes committed with security context in message
  Related to [plan] Address static analysis security findings #6350

AI generated by Plan Command for discussion #6330

Comments on the Issue (you are @copilot in this section)

• Fixes [plan] Fix High severity excessive permissions in speckit-dispatcher.md #6351

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.