Objective

Replace overly broad permissions: read-all with specific minimal permissions in ci-doctor.md.

Context

The ci-doctor workflow grants broader permissions than necessary, violating the principle of least privilege. This increases the attack surface if the workflow is compromised.

Identified at 2 locations (lines 57, 570) in the static analysis report (discussion #3945).

Approach

1. Identify exact permissions needed by reviewing the workflow's GitHub API calls
2. Replace permissions: read-all at workflow level with specific permissions
3. Review and minimize job-level permissions for the agent job
4. Test to ensure workflow functionality is preserved

Files to Modify

• .github/workflows/ci-doctor.md:
  • Line 57: Workflow-level permissions
  • Line 570: Job-level permissions for agent job

Recommended Permissions

permissions:
  actions: read      # To query workflow runs
  contents: read     # To read repository files
  issues: write      # To create issues for failures
  pull-requests: read # If needed for PR analysis

Acceptance Criteria

• permissions: read-all removed from line 57
• Specific minimal permissions added at workflow level
• Job-level excessive permissions reviewed and minimized (line 570)
• Workflow compiles successfully with gh aw compile ci-doctor
• All existing CI Doctor functionality works correctly
• No permission errors when workflow runs
• Permissions follow principle of least privilege

Security Impact

Reduces attack surface by limiting permissions to only what's necessary. Prevents potential abuse if workflow is compromised.

Estimated Effort

1 hour

AI generated by Plan Command for discussion #3945