Replace read-all permissions with explicit minimal permissions in 7 workflows

[Copilot]

Fixes MEDIUM severity excessive-permissions vulnerabilities identified by zizmor security scanner. The permissions: read-all pattern grants overly broad access that increases risk of credential theft or unauthorized actions if tokens are compromised.

Changes

Replaced permissions: read-all with explicit minimal permissions in 7 workflows:

• ci-doctor.md
• copilot-agent-analysis.md
• copilot-pr-prompt-analysis.md
• daily-news.md
• smoke-detector.md
• technical-doc-writer.md
• test-timestamp-js.md

Each workflow now specifies only required permissions based on its tools and safe-outputs configuration:

# Before
permissions: read-all

# After
permissions:
  contents: read
  issues: read
  pull-requests: read
  actions: read

The issues and pull-requests read permissions are required by default GitHub MCP toolsets. The actions read permission enables workflows to read workflow run data. Additional permissions like discussions: read are specified only where needed (e.g., daily-news.md).

All .lock.yml files regenerated. Zizmor scan confirms no excessive-permissions issues remain for these workflows.

Closes #2950

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[task] Replace read-all permissions with explicit minimal permissions in 7 workflows</issue_title>
<issue_description>## Objective
Fix MEDIUM severity excessive-permissions vulnerabilities by replacing permissions: read-all with explicit minimal permissions in 7 workflows.

Context

Zizmor security analysis (Discussion #2950) identified that using read-all is overly broad and increases risk of credential theft or unauthorized actions. The principle of least privilege requires specifying only the permissions actually needed.

Approach

Replace broad read-all with explicit minimal permissions:

Before:

permissions: read-all

After (example - adjust per workflow):

permissions:
  contents: read
  pull-requests: read
  issues: read

Affected Workflows

1. .github/workflows/ci-doctor.md
2. .github/workflows/copilot-agent-analysis.md
3. .github/workflows/copilot-pr-prompt-analysis.md
4. .github/workflows/daily-news.md
5. .github/workflows/smoke-detector.md
6. .github/workflows/technical-doc-writer.md
7. .github/workflows/test-timestamp-js.md

Implementation Steps

For each workflow:

1. Review the workflow to understand what permissions it actually uses
2. Replace permissions: read-all with explicit minimal permissions
3. Run gh aw compile (workflow-name) to regenerate .lock.yml
4. Test the workflow to ensure it still functions

After all workflows are fixed:
5. Run gh aw compile --zizmor to verify all excessive-permissions issues are resolved

Acceptance Criteria

• All 7 workflows have explicit minimal permissions
• No workflow uses read-all
• All workflows still function as intended
• Zizmor scan shows no MEDIUM severity excessive-permissions for these workflows
• All workflows are recompiled without errors
  Related to 🔒 Zizmor Security Analysis Report - November 1, 2025 #2950

AI generated by Plan Command for discussion #2950</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [task] Replace read-all permissions with explicit minimal permissions in 7 workflows #2955

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Pull Request Overview

This PR replaces the broad permissions: read-all declaration with explicit, granular read permissions across multiple GitHub Agentic Workflow files. This change follows the principle of least privilege by only granting the specific permissions that each workflow needs.

Key Changes

• Replaces permissions: read-all with explicit permission lists
• Applies consistent permission patterns across all affected workflows
• Updates both source .md files and their compiled .lock.yml counterparts

Reviewed Changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.github/workflows/test-timestamp-js.md	Adds explicit read permissions for contents, issues, and pull-requests
.github/workflows/technical-doc-writer.md	Replaces read-all with granular permissions (contents, pull-requests, issues, actions)
.github/workflows/technical-doc-writer.lock.yml	Compiled output reflecting the explicit permissions in both workflow and agent job levels
.github/workflows/smoke-detector.md	Replaces read-all with specific read permissions including actions access
.github/workflows/smoke-detector.lock.yml	Compiled output with explicit permissions at workflow and agent job levels
.github/workflows/daily-news.md	Adds granular read permissions including discussions access
.github/workflows/daily-news.lock.yml	Compiled output reflecting the explicit permission configuration
.github/workflows/copilot-pr-prompt-analysis.md	Replaces read-all with specific read permissions (contents, issues, pull-requests, actions)
.github/workflows/copilot-pr-prompt-analysis.lock.yml	Compiled output with explicit permissions in workflow and agent job
.github/workflows/copilot-agent-analysis.md	Replaces read-all with granular read permissions matching workflow needs
.github/workflows/copilot-agent-analysis.lock.yml	Compiled output reflecting the explicit permission changes
.github/workflows/ci-doctor.md	Adds specific read permissions for contents, issues, pull-requests, and actions
.github/workflows/ci-doctor.lock.yml	Compiled output with explicit permissions at workflow and agent job levels

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.