[plan] Add explicit permissions to 14 workflows with risky trigger events #12277
Description
Objective
Add explicit permissions: blocks to 14 workflows that use default (write) permissions with risky trigger events like workflow_dispatch or issue_comment.
Context
From discussion #12276, these workflows have medium-priority security issues violating the least-privilege principle. They run on risky triggers with default write permissions when they may only need read access.
Affected Workflows
- cloclo
- q
- plan
- brave
- mergefest
- pdf-summary
- grumpy-reviewer
- pr-nitpick-reviewer
- archie
- security-review
- scout
- ai-moderator
- tidy
- unbloat-docs
Solution Templates
For read-only agents (analysis, reports):
---
title: My Analyzer
permissions:
contents: read
on:
workflow_dispatch:
---For comment-only agents (reviewers, moderators):
---
title: My Reviewer
permissions:
contents: read
issues: write
pull-requests: write
on:
workflow_dispatch:
issue_comment:
---For code-modifying agents (auto-fixers, updaters):
---
title: My Auto-fixer
permissions:
contents: write
pull-requests: write
on:
workflow_dispatch:
---Approach
- Review each workflow's purpose to determine required permissions
- Add minimal permissions to workflow frontmatter (.md files)
- Recompile workflows with
make recompile - Verify with poutine scan that warnings are resolved
Acceptance Criteria
- All 14 workflows have explicit
permissions:blocks - Permissions follow least-privilege principle
- Workflows function correctly with restricted permissions
- Run
make agent-finishbefore committing
References
AI generated by Plan Command for discussion #12276