fix(ci): grant required permissions to review wrappers

[Mehdi-Bl]

Summary

• grant explicit permissions required by reusable review workflows
• fix workflow_dispatch startup failures after centralizing workflow wrappers

Validation

• trigger manual dispatch after merge to verify both wrappers run

Summary by Sourcery

CI:

• Set explicit read permissions at the workflow level and write/id-token permissions at the job level for manual Claude and Opencode review workflows.

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[qodo-free-for-open-source-projects]

Review Summary by Qodo

Grant required permissions to review workflow wrappers

🐞 Bug fix

Walkthroughs

Description

• Grant explicit permissions to review workflow wrappers
• Fix workflow_dispatch startup failures after centralizing workflows
• Add required permissions: contents read, pull-requests write, issues write, id-token write

Diagram

flowchart LR
  A["Review Workflows<br/>claude-review-manual<br/>opencode-review-manual"] -->|"Add Permissions"| B["permissions:<br/>contents: read<br/>pull-requests: write<br/>issues: write<br/>id-token: write"]
  B -->|"Enable"| C["Reusable Workflow<br/>Execution"]

Loading

File Changes

1. .github/workflows/claude-review-manual.yml 🐞 Bug fix +5/-1

Add explicit permissions to Claude review workflow

• Replace empty permissions object with explicit permission grants
• Add contents read, pull-requests write, issues write, and id-token write permissions
• Enable manual dispatch workflow to execute reusable review workflow

.github/workflows/claude-review-manual.yml

---

2. .github/workflows/opencode-review-manual.yml 🐞 Bug fix +5/-1

Add explicit permissions to OpenCode review workflow

• Replace empty permissions object with explicit permission grants
• Add contents read, pull-requests write, issues write, and id-token write permissions
• Enable manual dispatch workflow to execute reusable review workflow

.github/workflows/opencode-review-manual.yml

---

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

This PR updates the manual GitHub Actions review workflows to explicitly declare the permissions required by the reusable review workflows, resolving workflow_dispatch startup failures after centralizing workflow wrappers.

Flow diagram for manual dispatch of review workflows with permissions

flowchart TD
  A[User triggers workflow_dispatch for review] --> B{Which manual workflow}
  B -->|claude-review-manual| C[Start claude-review-manual]
  B -->|opencode-review-manual| D[Start opencode-review-manual]

  C --> E[Apply workflow permissions contents: read]
  D --> F[Apply workflow permissions contents: read]

  E --> G[Start claude-review job]
  F --> H[Start opencode-review job]

  subgraph Claude_Job[claude-review job permissions]
    G --> G1[contents: read]
    G --> G2[pull-requests: write]
    G --> G3[issues: write]
    G --> G4[id-token: write]
  end

  subgraph OpenCode_Job[opencode-review job permissions]
    H --> H1[contents: read]
    H --> H2[pull-requests: write]
    H --> H3[issues: write]
    H --> H4[id-token: write]
  end

  G1 --> I[Call reusable-claude-review workflow]
  G2 --> I
  G3 --> I
  G4 --> I

  H1 --> J[Call reusable-opencode-review workflow]
  H2 --> J
  H3 --> J
  H4 --> J

Loading

File-Level Changes

Change	Details	Files
Grant explicit GitHub Actions permissions required by the reusable manual review workflows.	Replace empty top-level workflow permissions with read-only contents permission so workflows can be triggered and read repository data. Add job-level permissions for manual review jobs to allow reading contents, writing to pull requests and issues, and issuing id-tokens needed by the reusable workflows. Apply the same permission adjustments to both the Claude and OpenCode manual review workflow definitions.	.github/workflows/claude-review-manual.yml .github/workflows/opencode-review-manual.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[qodo-free-for-open-source-projects]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. Workflow-scope token elevation 🐞 Bug ⛨ Security

Description

The manual review wrappers grant broad write permissions (PRs/issues) and OIDC minting (`id-token:
write`) at the workflow scope while delegating execution to an external reusable workflow,
increasing blast radius for workflow_dispatch runs and for any future jobs added to these workflows.
Because the reusable workflows live outside this repo, the necessity of each permission cannot be
verified here; scoping/guardrails should be added to keep least-privilege.

Code

.github/workflows/claude-review-manual.yml[R16-20]

+permissions:
+  contents: read
+  pull-requests: write
+  issues: write
+  id-token: write

Evidence

Both manual wrappers now set elevated permissions at the workflow root, and both jobs execute an
external reusable workflow (codingworkflow/codingworkflow-security-policies/...). This means the
called workflow runs with these privileges. In-repo precedent (sonarcloud.yml) shows a pattern of
setting permissions: {} at the workflow level and scoping elevated permissions at the job level,
reducing inherited permissions blast radius.

.github/workflows/claude-review-manual.yml[16-33]
.github/workflows/opencode-review-manual.yml[31-52]
.github/workflows/sonarcloud.yml[9-19]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The manual review wrappers grant elevated `GITHUB_TOKEN` permissions at the workflow scope (PR/issue write + OIDC token minting). Since these workflows delegate execution to external reusable workflows, this increases blast radius and makes it harder to reason about least-privilege.

## Issue Context
- These workflows are `workflow_dispatch` wrappers that call external reusable workflows.
- Because the reusable workflows are outside this repo, we cannot verify here which permissions are strictly required.

## Fix Focus Areas
- .github/workflows/claude-review-manual.yml[16-20]
- .github/workflows/opencode-review-manual.yml[31-35]

## Suggested change
1. Set workflow-level permissions back to `{}`.
2. Add job-level `permissions:` on `claude-review` / `opencode-review` (same set you currently grant, or narrower if you can confirm).
3. (Optional, recommended) Add a first `authorize` job with `permissions: {}` that checks `github.actor` is allowed (e.g., against `vars.ALLOWED_ACTORS`) and make the review job depend on it.
4. Add comments explaining why `pull-requests: write`, `issues: write`, and `id-token: write` are required.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[sourcery-ai]

Hey - I've left some high level feedback:

• You’re specifying permissions both at the workflow level and the job level; consider whether the top-level contents: read is necessary given the more specific job permissions, or if you can consolidate to a single definition for clarity.
• Double-check that id-token: write is actually required by the reusable workflows, and if not, drop it to keep the token scope as minimal as possible.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- You’re specifying `permissions` both at the workflow level and the job level; consider whether the top-level `contents: read` is necessary given the more specific job permissions, or if you can consolidate to a single definition for clarity.
- Double-check that `id-token: write` is actually required by the reusable workflows, and if not, drop it to keep the token scope as minimal as possible.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}