[task] Replace read-all permissions with explicit minimal permissions in 7 workflows

[github-actions]

Objective

Fix MEDIUM severity excessive-permissions vulnerabilities by replacing permissions: read-all with explicit minimal permissions in 7 workflows.

Context

Zizmor security analysis (Discussion #2950) identified that using read-all is overly broad and increases risk of credential theft or unauthorized actions. The principle of least privilege requires specifying only the permissions actually needed.

Approach

Replace broad read-all with explicit minimal permissions:

Before:

permissions: read-all

After (example - adjust per workflow):

permissions:
  contents: read
  pull-requests: read
  issues: read

Affected Workflows

1. .github/workflows/ci-doctor.md
2. .github/workflows/copilot-agent-analysis.md
3. .github/workflows/copilot-pr-prompt-analysis.md
4. .github/workflows/daily-news.md
5. .github/workflows/smoke-detector.md
6. .github/workflows/technical-doc-writer.md
7. .github/workflows/test-timestamp-js.md

Implementation Steps

For each workflow:

1. Review the workflow to understand what permissions it actually uses
2. Replace permissions: read-all with explicit minimal permissions
3. Run gh aw compile (workflow-name) to regenerate .lock.yml
4. Test the workflow to ensure it still functions

After all workflows are fixed:
5. Run gh aw compile --zizmor to verify all excessive-permissions issues are resolved

Acceptance Criteria

• All 7 workflows have explicit minimal permissions
• No workflow uses read-all
• All workflows still function as intended
• Zizmor scan shows no MEDIUM severity excessive-permissions for these workflows
• All workflows are recompiled without errors
  Related to 🔒 Zizmor Security Analysis Report - November 1, 2025 #2950

AI generated by Plan Command for discussion #2950