[WIP] Add explicit minimal permissions to workflows with risky triggers

[Copilot]

Thanks for assigning this issue to me. I'm starting to work on it and will keep this PR's description up to date as I form a plan and make progress.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Code Quality] Add explicit minimal permissions to 5 workflows using risky event triggers</issue_title>
<issue_description>### Description

Static analysis (#13119) identified 5 workflows using default permissions on risky event triggers (pull_request_target, issue_comment), which could allow excessive permissions for untrusted code execution. This is a security hardening opportunity.

Affected Workflows

1. q.lock.yml - Uses risky triggers with default permissions
2. scout.lock.yml - Uses risky triggers with default permissions
3. grumpy-reviewer.lock.yml - PR reviewer with broad permissions
4. pr-nitpick-reviewer.lock.yml - PR reviewer with broad permissions
5. plan.lock.yml - Planning workflow with default permissions

Security Risk

Default Permissions on Risky Events (poutine security scanner):

• Severity: Warning
• Description: Workflows using pull_request_target or issue_comment triggers without explicit minimal permissions
• Impact: Untrusted code (from PRs/comments) could have excessive permissions to repository resources
• Best Practice: Explicitly define minimal required permissions

Risky Event Triggers

• pull_request_target: Runs in context of base branch with write access
• issue_comment: Can be triggered by any user commenting on issues/PRs
• Both require careful permission scoping to prevent security issues

Recommended Fix

Add explicit minimal permissions to workflow frontmatter:

---
# Before (implicit default permissions)
on:
  pull_request_target:
  issue_comment:

# After (explicit minimal permissions)
on:
  pull_request_target:
  issue_comment:

permissions:
  contents: read        # Read-only access to repository contents
  issues: write         # Only if workflow creates/updates issues
  pull-requests: write  # Only if workflow comments on PRs
  # Omit any permissions not needed
---

Implementation Approach

1. Review each workflow to determine actual permissions needed:

   # Find source markdown files
   find .github/workflows -name "q.md"
   find .github/workflows -name "scout.md"
   find .github/workflows -name "grumpy-reviewer.md"
   find .github/workflows -name "pr-nitpick-reviewer.md"
   find .github/workflows -name "plan.md"

2. Identify required permissions:

   • What GitHub API operations does the workflow perform?
   • Does it read code? (contents: read)
   • Does it comment on PRs? (pull-requests: write)
   • Does it create issues? (issues: write)

3. Add minimal permissions to frontmatter:

   permissions:
     contents: read
     issues: write     # Only if needed
     pull-requests: write  # Only if needed

4. Test workflows:

   • Trigger workflows with new permissions
   • Verify they still function correctly
   • Confirm no permission errors

5. Recompile: make recompile to regenerate .lock.yml files

Success Criteria

• All 5 workflows have explicit minimal permissions defined
• Permissions follow principle of least privilege
• Workflows function correctly with new permissions
• Static analysis re-run shows 0 permission warnings
• Document permission requirements for risky event triggers

Impact

• Severity: Medium (security hardening, not active vulnerability)
• Scope: 5 workflows using risky event triggers
• Benefit: Reduced attack surface, better security posture, follows GitHub best practices

Source

Extracted from Discussion githubnext/gh-aw#13119 - Static Analysis Report (Feb 1, 2026)

"Priority 3 - Permission Hardening: Add explicit minimal permissions to workflows using risky event triggers."

Priority

Medium - Security hardening that should be addressed but not urgent

Estimated Effort: 2-3 hours (review 5 workflows + test + document)

References

• GitHub Actions Security Best Practices
• Permissions for GitHub Actions

AI generated by Discussion Task Miner - Code Quality Improvement Agent

• expires on Feb 15, 2026, 9:07 PM UTC

Comments on the Issue (you are @copilot in this section)

• Fixes [Code Quality] Add explicit minimal permissions to 5 workflows using risky event triggers #13165

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.