[task] Scope down id-token: write permissions in daily-perf-improver and daily-test-improver

[github-actions]

Objective

Fix HIGH severity excessive-permissions vulnerability by scoping down id-token: write permission from workflow level to job level in two workflows.

Context

Zizmor security analysis (Discussion #2950) identified that id-token: write permission is overly broad at the workflow level, increasing attack surface and potential for privilege escalation.

Approach

Move id-token: write permission from workflow-level to job-level where it's actually needed:

Before (workflow-level):

permissions:
  id-token: write
  contents: read

After (job-level):

# Workflow level - minimal permissions
permissions:
  contents: read

jobs:
  specific-job:
    permissions:
      id-token: write  # Only where needed
      contents: read

Files to Modify

• .github/workflows/daily-perf-improver.md
• .github/workflows/daily-test-improver.md
• .github/workflows/daily-perf-improver.lock.yml (will be regenerated)
• .github/workflows/daily-test-improver.lock.yml (will be regenerated)

Implementation Steps

1. Review both workflows to identify which jobs actually need id-token: write
2. Remove id-token: write from workflow-level permissions
3. Add id-token: write only to specific jobs that require it
4. Run gh aw compile daily-perf-improver daily-test-improver to regenerate .lock.yml files
5. Verify the fix with gh aw compile --zizmor

Acceptance Criteria

• id-token: write is removed from workflow-level permissions
• id-token: write is added only to jobs that require it
• Both workflows still function as intended
• Zizmor scan shows no HIGH severity excessive-permissions for these workflows
• Workflows are recompiled without errors
  Related to 🔒 Zizmor Security Analysis Report - November 1, 2025 #2950

AI generated by Plan Command for discussion #2950