ci: add explicit permissions for integration-test job in CI workflow

[keelerm84]

Requirements

• I have added test coverage for new or changed functionality
• I have followed the repository's pull request submission guidelines
• I have validated my changes against all supported platform versions

No test changes needed — this is a CI workflow configuration change only.

Related issues

• Failing CI run: https://github.com/launchdarkly/ld-relay/actions/runs/23658587038
• Same fix already applied to daily-integration-tests.yml in chore: Fix daily integration tests workflow permissions #604
• Same class of fix applied to release-please.yml in chore: add explicit permissions to release-please workflow #603

Describe the solution you've provided

The CI workflow (ci.yml) has been failing with startup_failure (zero jobs created) since ~March 25, after the org's default GITHUB_TOKEN permissions were tightened to read-only.

The integration-test job in ci.yml calls the reusable workflow integration-test.yml, which requires id-token: write (for AWS OIDC in the release-secrets action) and contents: read. Without explicit permissions on the caller job, GitHub cannot grant these elevated permissions and fails the entire workflow at startup.

This adds an explicit permissions block to the integration-test caller job, matching the pattern already merged in #604 for daily-integration-tests.yml.

Describe alternatives you've considered

A top-level permissions block on the entire workflow was considered, but job-level scoping follows the principle of least privilege and is consistent with the approach taken in #603 and #604.

Additional context

All CI runs on v8 since March 25 have been startup_failure: the workflow couldn't even create jobs. The other caller jobs (go-versions, go-matrix, security-scan) don't request elevated permissions, so they should work with the default read-only token once this fix unblocks the workflow.

Human review checklist

• Confirm the startup_failure is specifically caused by the missing permissions on the integration-test caller (and not by something else). All runs since ~March 25 show startup_failure with 0 jobs; the last run before that date had 11 jobs.
• Verify no other jobs in ci.yml need explicit permissions beyond the default read-only scope.

Link to Devin session: https://app.devin.ai/sessions/3f8768bfe13144cbad6c7602dd8de770
Requested by: @keelerm84

---

Note

Low Risk
Low risk workflow-only change that scopes GITHUB_TOKEN permissions for the integration-test reusable workflow call; primary risk is mis-scoped permissions causing CI to keep failing.

Overview
Fixes CI startup failures by explicitly granting the integration-test job id-token: write and contents: read when invoking the reusable integration-test.yml workflow.

This aligns the caller job permissions with the callee’s AWS OIDC/checkout requirements while keeping permissions scoped to just that job (least privilege).

^{Written by Cursor Bugbot for commit b84c6fa. This will update automatically on new commits. Configure here.}

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring