Replace implicit read-all with explicit minimal permissions in test-claude-oauth-workflow

[Copilot]

The test-claude-oauth-workflow had no explicit permissions, causing the compiler to default to permissions: read-all, violating least privilege (MEDIUM severity finding).

Changes

• Added explicit minimal permissions to .github/workflows/test-claude-oauth-workflow.md:

  permissions:
    contents: read
    issues: read
    pull-requests: read

• Recompiled workflow to propagate permissions to .lock.yml file

Impact

• Removes permissions: read-all from both top-level workflow and agent job
• Grants only read access required for file listing and GitHub toolsets
• Addresses excessive-permissions finding from static analysis report (🔍 Static Analysis Report - November 4, 2025 #3120)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[task] Reduce excessive permissions in test-claude-oauth-workflow</issue_title>
<issue_description>## Objective
Replace overly broad permissions: read-all with explicit minimal permissions in test-claude-oauth-workflow.

Context

The test-claude-oauth-workflow currently uses permissions: read-all which violates the principle of least privilege and increases the attack surface (MEDIUM severity). This was identified in the static analysis report as an excessive-permissions issue.

Related to discussion #3120 - Static Analysis Report finding #2.

Approach

1. Analyze what permissions the workflow actually needs based on its operations
2. Replace permissions: read-all with explicit minimal permissions
3. Test the workflow to ensure it still functions correctly with reduced permissions

Files to Modify

• .github/workflows/test-claude-oauth-workflow.md - Update permissions from read-all to explicit minimal set
• Recompile with gh aw compile test-claude-oauth-workflow

Suggested Permissions

Based on typical agentic workflow needs:

permissions:
  contents: read
  issues: write
  pull-requests: write

Adjust if the specific workflow requires different permissions.

Acceptance Criteria

• permissions: read-all removed from workflow
• Explicit minimal permissions defined
• Workflow compiles successfully
• Workflow functions correctly with new permissions
• Zizmor scan shows no excessive-permissions findings for this workflow
  Related to 🔍 Static Analysis Report - November 4, 2025 #3120

AI generated by Plan Command for discussion #3120</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [task] Reduce excessive permissions in test-claude-oauth-workflow #3124

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[Copilot]

Pull Request Overview

This PR updates the test workflow for Claude OAuth token support by replacing the broad read-all permission with explicit, minimal read permissions following the principle of least privilege. This change improves security by granting only the specific permissions needed for the workflow to function.

Key Changes

• Added explicit permissions block to the workflow frontmatter
• Replaced read-all with granular read permissions for contents, issues, and pull-requests
• Updated both the workflow-level and job-level permissions in the compiled lock file

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
.github/workflows/test-claude-oauth-workflow.md	Added explicit permissions block with minimal read-only access
.github/workflows/test-claude-oauth-workflow.lock.yml	Compiled output reflecting the permission changes at both workflow and job levels

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.