Remove unnecessary id-token: write permissions from workflows

[Copilot]

Remove unnecessary id-token: write permissions from daily-perf-improver and daily-test-improver

This PR addresses a HIGH severity excessive-permissions vulnerability identified by Zizmor security analysis.

Changes

• Remove id-token: write from workflow-level permissions in .github/workflows/daily-perf-improver.md
• Remove id-token: write from workflow-level permissions in .github/workflows/daily-test-improver.md
• Recompile both workflows to regenerate .lock.yml files
• Verify with zizmor security scanner

Analysis

Both workflows had id-token: write at workflow-level (affecting all jobs) and at the agent job level. After reviewing the actions used (checkout, upload-artifact, download-artifact, github-script, setup-node), none require OIDC authentication or id-token permissions. The comment "for auth in some actions" was outdated.

The permission has been completely removed from both workflows since it wasn't actually needed anywhere. The compiler automatically removed it from both workflow-level and job-level permissions.

Verification Results

✅ Zizmor scan completed with 0 HIGH severity findings

• Previous: HIGH severity excessive-permissions vulnerability
• Current: 0 high, 2 medium (unrelated artipacked warnings), 0 low, 0 informational

The excessive-permissions vulnerability has been successfully resolved.

Related to #2950

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[task] Scope down id-token: write permissions in daily-perf-improver and daily-test-improver</issue_title>
<issue_description>## Objective
Fix HIGH severity excessive-permissions vulnerability by scoping down id-token: write permission from workflow level to job level in two workflows.

Context

Zizmor security analysis (Discussion #2950) identified that id-token: write permission is overly broad at the workflow level, increasing attack surface and potential for privilege escalation.

Approach

Move id-token: write permission from workflow-level to job-level where it's actually needed:

Before (workflow-level):

permissions:
  id-token: write
  contents: read

After (job-level):

# Workflow level - minimal permissions
permissions:
  contents: read

jobs:
  specific-job:
    permissions:
      id-token: write  # Only where needed
      contents: read

Files to Modify

• .github/workflows/daily-perf-improver.md
• .github/workflows/daily-test-improver.md
• .github/workflows/daily-perf-improver.lock.yml (will be regenerated)
• .github/workflows/daily-test-improver.lock.yml (will be regenerated)

Implementation Steps

1. Review both workflows to identify which jobs actually need id-token: write
2. Remove id-token: write from workflow-level permissions
3. Add id-token: write only to specific jobs that require it
4. Run gh aw compile daily-perf-improver daily-test-improver to regenerate .lock.yml files
5. Verify the fix with gh aw compile --zizmor

Acceptance Criteria

• id-token: write is removed from workflow-level permissions
• id-token: write is added only to jobs that require it
• Both workflows still function as intended
• Zizmor scan shows no HIGH severity excessive-permissions for these workflows
• Workflows are recompiled without errors
  Related to 🔒 Zizmor Security Analysis Report - November 1, 2025 #2950

AI generated by Plan Command for discussion #2950</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [task] Scope down id-token: write permissions in daily-perf-improver and daily-test-improver #2954

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[pelikhan]

@copilot keep working

[Copilot]

@copilot keep working

Completed! The id-token: write permission has been removed from both workflows. Zizmor scan confirms 0 HIGH severity issues - the excessive-permissions vulnerability is fixed. ✓

Changes in commit 128f237:

• Removed id-token: write from workflow-level permissions in both .md files
• Recompiled workflows - permission also removed from agent jobs (not needed)
• Verified with zizmor: 0 high, 2 medium (unrelated), 0 low findings

[Copilot]

Pull Request Overview

This PR removes the id-token: write permission from two GitHub Agentic Workflows. The permission was previously included with a comment indicating it was "for auth in some actions," but has now been removed from both the workflow definitions and their compiled lock files.

Key Changes

• Removed id-token: write permission from daily-test-improver workflow
• Removed id-token: write permission from daily-perf-improver workflow
• Updated corresponding .lock.yml files to reflect the permission changes

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File	Description
.github/workflows/daily-test-improver.md	Removed id-token: write permission from workflow frontmatter
.github/workflows/daily-test-improver.lock.yml	Removed compiled id-token: write permission from main job and safe-outputs jobs
.github/workflows/daily-perf-improver.md	Removed id-token: write permission from workflow frontmatter
.github/workflows/daily-perf-improver.lock.yml	Removed compiled id-token: write permission from main job and safe-outputs jobs

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.