feat(ci): least-privilege token permissions; fix 2 workflow bugs

[amacsmith]

Summary

Tightens every workflow's permission scope to per-job least-privilege per OpenSSF Scorecard's Token-Permissions check (currently 0/10 because multiple workflows grant top-level write to contents). Plus fixes the two known workflow bugs caught in #25 review.

A. Token-Permissions audit

Every workflow now declares top-level permissions: contents: read (or equivalent read-only minimum); any write-scope is pushed down to the specific job that actually needs it. Per-workflow changes:

Workflow	Before (top-level)	After (top-level)	Per-job (where needed)
add-from-issue	contents/issues/pull-requests: write	contents: read	parse-and-pr: contents/issues/pull-requests: write
audit	contents: read	(unchanged)	—
auto-merge	pull-requests/contents: write, checks: read	contents: read	auto-merge: pull-requests: write, checks: read
auto-merge-dependabot	contents: read, pull-requests: write	contents: read	auto-merge: pull-requests: write
auto-merge-release-please	contents: read, pull-requests: write	contents: read	auto-merge: pull-requests: write
codeql	contents: read	(unchanged)	analyze keeps its existing per-job perms
docs-on-release	contents: write	contents: read	update-docs: contents: write, actions: write
first-interaction	issues/pull-requests: write	contents: read	greet: issues/pull-requests: write
labeler	contents: read, pull-requests: write	contents: read	label: pull-requests: write
lychee	contents: read, issues: write	contents: read	link-check: issues: write
node-matrix	contents: read	(unchanged)	—
outdated-watch	contents: read, issues: write	contents: read	scan: issues: write
pages	contents: read, pages: write, id-token: write	contents: read	deploy: pages: write, id-token: write
publish-cli	contents: read, id-token: write	contents: read	publish: id-token: write
publish-mcp	contents: read, id-token: write	contents: read	publish: id-token: write
publish-pysdk	contents: write, id-token: write	contents: read	build-and-publish: contents: write, id-token: write
release-drafter	contents: read	(unchanged)	draft keeps its existing per-job perms
release-please	contents/pull-requests: write	contents: read	release: contents/pull-requests: write
render	contents: write	contents: read	render: contents: write
scorecard	read-all	contents: read	analysis keeps its existing per-job perms
secret-scan	contents: read	(unchanged)	—
semantic-pr	pull-requests: read	contents: read	validate: pull-requests: read
smoke	contents: read	(unchanged)	—
stale	contents: read, issues/pull-requests: write	contents: read	stale: issues/pull-requests: write
sync	contents: write, actions: write	contents: read	sync: contents/actions: write
validate	contents: read	(unchanged)	—

B. Workflow bug fixes

1. semantic-pr was failing with Resource not accessible by integration. The job now declares per-job contents: read + pull-requests: read explicitly so pull_request_target events still resolve correctly.
2. first-interaction was failing with missing issue_message input. The action (actions/first-interaction@v3) uses underscore input names (issue_message, pr_message, repo_token) — the previous workflow used dashes which were silently dropped. Renamed all three to match the action's action.yml.

Verification

• for f in .github/workflows/*.yml; do python3 -c "import yaml; yaml.safe_load(open('$f'))"; done -> ALL_YAML_OK (26 workflows parse).
• All SHA pins from feat(ci): auto-merge release-please + dependabot PRs, supply-chain hardening #25 preserved untouched.
• No new actions or steps added.

Test plan

• Scorecard re-run shows Token-Permissions at 10/10.
• Next PR triggers semantic-pr and it succeeds without the "Resource not accessible" error.
• First-time contributor PR / issue triggers first-interaction and posts the canned greeting.
• release-please, pages, publish-*, sync continue to operate end-to-end on their next normal trigger.

[coderabbitai]

Warning

Rate limit exceeded

@amacsmith has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 55 minutes and 42 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 05fadc31-3721-4e50-a287-2ee4045298d9

📥 Commits

Reviewing files that changed from the base of the PR and between 88802c7 and de73aa0.

📒 Files selected for processing (16)

• .github/workflows/add-from-issue.yml
• .github/workflows/auto-merge-dependabot.yml
• .github/workflows/auto-merge-release-please.yml
• .github/workflows/auto-merge.yml
• .github/workflows/docs-on-release.yml
• .github/workflows/first-interaction.yml
• .github/workflows/labeler.yml
• .github/workflows/lychee.yml
• .github/workflows/outdated-watch.yml
• .github/workflows/pages.yml
• .github/workflows/release-please.yml
• .github/workflows/render.yml
• .github/workflows/scorecard.yml
• .github/workflows/semantic-pr.yml
• .github/workflows/stale.yml
• .github/workflows/sync.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/least-privilege-perms

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR tightens GitHub Actions GITHUB_TOKEN permissions across workflows by adopting a workflow-level read-only baseline and moving any required write scopes down to the specific jobs that need them, aligning with OpenSSF Scorecard’s Token-Permissions guidance. It also addresses two workflow failures (semantic-pr permissions on pull_request_target, and first-interaction input naming).

Changes:

• Standardize most workflows to permissions: contents: read at the workflow level, with job-level overrides for required write scopes (e.g., contents: write, pull-requests: write, issues: write, actions: write, pages: write, id-token: write).
• Fix semantic-pr failing on pull_request_target by explicitly setting job permissions (contents: read, pull-requests: read).
• Fix first-interaction failing due to incorrect input names by switching to underscore-based input keys.

Reviewed changes

Copilot reviewed 16 out of 16 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.github/workflows/sync.yml	Moves contents/actions: write to the sync job while keeping a read-only workflow baseline.
.github/workflows/stale.yml	Moves issues/pull-requests: write to the stale job while keeping a read-only workflow baseline.
.github/workflows/semantic-pr.yml	Sets workflow baseline to contents: read and adds explicit job-level contents/pull-requests: read.
.github/workflows/scorecard.yml	Replaces read-all with contents: read at workflow level while retaining job-level perms needed for SARIF + publishing.
.github/workflows/render.yml	Sets workflow baseline to contents: read and scopes contents: write to the render job.
.github/workflows/release-please.yml	Sets workflow baseline to contents: read and scopes contents/pull-requests: write to the release job.
.github/workflows/publish-pysdk.yml	Sets workflow baseline to contents: read and scopes contents: write + id-token: write to the publish job.
.github/workflows/publish-mcp.yml	Moves id-token: write from workflow to the publish job.
.github/workflows/publish-cli.yml	Moves id-token: write from workflow to the publish job.
.github/workflows/pages.yml	Moves pages/id-token: write to the deploy job, adds explicit perms per job.
.github/workflows/outdated-watch.yml	Moves issues: write to the scan job while keeping a read-only workflow baseline.
.github/workflows/lychee.yml	Moves issues: write to the link-check job while keeping a read-only workflow baseline.
.github/workflows/labeler.yml	Moves pull-requests: write to the label job while keeping a read-only workflow baseline.
.github/workflows/first-interaction.yml	Moves write permissions to the greet job and fixes action input names.
.github/workflows/docs-on-release.yml	Sets workflow baseline to contents: read and scopes contents/actions: write to the update-docs job.
.github/workflows/auto-merge.yml	Sets workflow baseline to contents: read and scopes pull-requests: write + checks: read to the job.
.github/workflows/auto-merge-release-please.yml	Moves pull-requests: write to the auto-merge job while keeping a read-only workflow baseline.
.github/workflows/auto-merge-dependabot.yml	Moves pull-requests: write to the auto-merge job while keeping a read-only workflow baseline.
.github/workflows/add-from-issue.yml	Scopes contents/issues/pull-requests: write to the parse-and-pr job while keeping a read-only workflow baseline.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.