Remove unnecessary discussions:read permission from speckit-dispatcher workflow

[Copilot]

The speckit-dispatcher workflow granted discussions: read permission but doesn't use the discussions toolset. This violates least privilege and increases attack surface unnecessarily.

Changes

• Removed discussions: read from workflow permissions
• Retained minimal required permissions:
  • contents: read - repos toolset
  • issues: write - issues toolset + safe-outputs (create-issue, add-comment, link-sub-issue)
  • pull-requests: read - pull_requests toolset

Analysis

The workflow uses GitHub MCP toolsets: [default] which expands to context, repos, issues, pull_requests. None of these require discussions permissions. The discussions toolset is a separate opt-in and was never configured.

# Before
permissions:
  contents: read
  issues: write
  discussions: read    # ← Unnecessary
  pull-requests: read

# After
permissions:
  contents: read
  issues: write
  pull-requests: read

Resolves zizmor excessive-permissions warning at .github/workflows/speckit-dispatcher.lock.yml:502:3.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/user
  • Triggering command: /usr/bin/gh gh api user --jq .login it/ref/tags/v5 GO111MODULE ps GOINSECURE GOMOD GOMODCACHE ps .git�� .git GOPROXY e/git GOSUMDB GOWORK me: String!) { xterm-color e/git (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login ns/setup.git GOPROXY /home/REDACTED/go/bin/sh GOSUMDB GOWORK (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login ion-precompile.git ion-precompile.git 204575cd2cb8260dae593b7ff6926251360/log.json GOSUMDB GOWORK /usr/bin/git sh -c prettier --write '**/*.cjs' '**/*.ts' '**/*.json' git (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[plan] Fix excessive permissions in speckit-dispatcher workflow</issue_title>
<issue_description>## Objective

Review and reduce permissions in the speckit-dispatcher workflow to follow the principle of least privilege.

Context

Severity: High
Tool: zizmor
Reference: excessive-permissions
Location: .github/workflows/speckit-dispatcher.lock.yml:502:3

The workflow has more permissions than necessary, increasing the attack surface and potential for privilege escalation if compromised.

Approach

1. Examine the speckit-dispatcher workflow to understand what GitHub API operations it performs
2. Review current permissions granted (likely in frontmatter or workflow configuration)
3. Determine the minimal set of permissions actually needed
4. Update the workflow markdown file with reduced permissions
5. Recompile and test the workflow

Files to Modify

• Edit: .github/workflows/speckit-dispatcher.md (or related source file)
• Generated: .github/workflows/speckit-dispatcher.lock.yml (via recompile)

Analysis Steps

1. Identify what GitHub API calls the workflow makes (issues, PRs, discussions, etc.)
2. Map those operations to required permissions
3. Compare against currently granted permissions
4. Remove any unnecessary permissions

Common Permission Patterns

# Example: If workflow only reads issues and writes comments
permissions:
  issues: write        # Needed for commenting
  contents: read       # Standard read access
  # Remove: pull-requests, discussions, etc. if not used

Acceptance Criteria

• Current permissions documented and analyzed
• Minimal required permissions identified
• Workflow source file updated with reduced permissions
• Workflow recompiled with make recompile
• Zizmor scan shows excessive-permissions warning resolved
• Workflow tested to ensure it still functions correctly
• Documentation updated if the workflow's capabilities changed

Why This Matters

• Follows security principle of least privilege
• Reduces impact if workflow is compromised
• Limits potential for accidental destructive operations
• Industry best practice for GitHub Actions security
  Related to [plan] Address security findings from static analysis scan #5866

AI generated by Plan Command for discussion #5845

Comments on the Issue (you are @copilot in this section)

• Fixes [plan] Fix excessive permissions in speckit-dispatcher workflow #5868

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.