[deep-report] Add explicit permissions to risky-trigger workflows flagged by zizmor

[github-actions]

Description

Static analysis found 14 workflows triggered by risky events (issue_comment, pull_request_target, workflow_run, etc.) that still use default permissions. This violates least-privilege and increases attack surface. Add explicit minimal permissions: blocks to the affected workflows and recompile lock files.

Affected workflows (from the 2026-01-29 static analysis report): ai-moderator, archie, brave, cloclo, grumpy-reviewer, mergefest, pdf-summary, plan, pr-nitpick-reviewer, q, scout, security-review, tidy, unbloat-docs.

Expected Impact

Reduces security exposure on risky triggers, aligns with least-privilege best practices, and clears the zizmor warnings from the daily scan.

Suggested Agent

Workflow Normalizer or Security Guard Agent

Estimated Effort

Medium (1-4 hours)

Data Source

Static Analysis Report discussion #12558 (2026-01-29) and this DeepReport run (2026-01-29).

AI generated by DeepReport - Intelligence Gathering Agent

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

AI generated by Issue Monster