[task] Reduce excessive permissions in test-claude-oauth-workflow

[github-actions]

Objective

Replace overly broad permissions: read-all with explicit minimal permissions in test-claude-oauth-workflow.

Context

The test-claude-oauth-workflow currently uses permissions: read-all which violates the principle of least privilege and increases the attack surface (MEDIUM severity). This was identified in the static analysis report as an excessive-permissions issue.

Related to discussion #3120 - Static Analysis Report finding #2.

Approach

1. Analyze what permissions the workflow actually needs based on its operations
2. Replace permissions: read-all with explicit minimal permissions
3. Test the workflow to ensure it still functions correctly with reduced permissions

Files to Modify

• .github/workflows/test-claude-oauth-workflow.md - Update permissions from read-all to explicit minimal set
• Recompile with gh aw compile test-claude-oauth-workflow

Suggested Permissions

Based on typical agentic workflow needs:

permissions:
  contents: read
  issues: write
  pull-requests: write

Adjust if the specific workflow requires different permissions.

Acceptance Criteria

• permissions: read-all removed from workflow
• Explicit minimal permissions defined
• Workflow compiles successfully
• Workflow functions correctly with new permissions
• Zizmor scan shows no excessive-permissions findings for this workflow
  Related to 🔍 Static Analysis Report - November 4, 2025 #3120

AI generated by Plan Command for discussion #3120