[Code Quality] Add explicit permissions to 14 workflows with risky event triggers

### Description

14 workflows are triggered by risky events (`issue_comment`, `pull_request_target`) but use default permissions (read-write access to most resources). This violates the principle of least privilege and creates a **supply chain security vulnerability** identified by the poutine scanner.

This issue was discovered in the [Static Analysis Report #12756](https://github.com/githubnext/gh-aw/discussions/12756).

### Security Impact

**Severity**: High  
**Risk**: Workflows triggered by untrusted events (comments, external PRs) have excessive permissions, enabling potential privilege escalation attacks.

### Files Affected (Edit .md files, NOT .lock.yml)

- `.github/workflows/ai-moderator.md`
- `.github/workflows/archie.md`
- `.github/workflows/brave.md`
- `.github/workflows/cloclo.md`
- `.github/workflows/grumpy-reviewer.md`
- `.github/workflows/mergefest.md`
- `.github/workflows/pdf-summary.md`
- `.github/workflows/plan.md`
- `.github/workflows/pr-nitpick-reviewer.md`
- `.github/workflows/q.md`
- `.github/workflows/scout.md`
- `.github/workflows/security-review.md`
- `.github/workflows/tidy.md`
- `.github/workflows/unbloat-docs.md`

### Fix Pattern

**Before**:
``````yaml
---
name: Example Workflow
on:
  issue_comment:
    types: [created]
---
``````

**After**:
``````yaml
---
name: Example Workflow
on:
  issue_comment:
    types: [created]
permissions:
  contents: read
  issues: write
  pull-requests: write
---
``````

### Common Permission Patterns

Choose the minimal permissions needed:

- **Read data and create reports**: `contents: read, issues: write, pull-requests: read`
- **Respond to comments**: `contents: read, issues: write, pull-requests: write`
- **Modify code**: `contents: write, issues: write, pull-requests: write`

### Success Criteria

- [ ] All 14 workflows have explicit `permissions:` section in frontmatter
- [ ] Each workflow uses minimal required permissions
- [ ] Workflows recompiled with `make recompile`
- [ ] Poutine scanner no longer reports `default_permissions_on_risky_events` warning
- [ ] All workflows continue to function correctly

### Priority

**High** - Security vulnerability affecting multiple workflows.

### References

- [GitHub Actions Security Hardening](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions)
- [Poutine Security Scanner](https://github.com/boostsecurityio/poutine)

### Source

Extracted from [Static Analysis Report #12756](https://github.com/githubnext/gh-aw/discussions/12756)







> AI generated by [Discussion Task Miner - Code Quality Improvement Agent](https://github.com/githubnext/gh-aw/actions/runs/21539305616)
> - [x] expires  on Feb 14, 2026, 5:19 AM UTC

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Code Quality] Add explicit permissions to 14 workflows with risky event triggers #12875

Description

Security Impact

Files Affected (Edit .md files, NOT .lock.yml)

Fix Pattern

Common Permission Patterns

Success Criteria

Priority

References

Source

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[Code Quality] Add explicit permissions to 14 workflows with risky event triggers #12875

Description

Description

Security Impact

Files Affected (Edit .md files, NOT .lock.yml)

Fix Pattern

Common Permission Patterns

Success Criteria

Priority

References

Source

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions