fix: update stale workflow permissions for reusable workflow compatibility

[coderabbitai]

Problem

The stale workflow in this repository is failing due to a permissions mismatch with the reusable workflow at cpp-linter/.github/.github/workflows/stale.yml.

Error from Actions run: https://github.com/cpp-linter/cpp-linter-action/actions/runs/17632456845

Invalid workflow file: .github/workflows/stale.yml#L9
The workflow is not valid. .github/workflows/stale.yml (Line: 9, Col: 3): Error calling workflow 'cpp-linter/.github/.github/workflows/stale.yml@main'. The nested job 'stale' is requesting 'contents: read, pull-requests: write', but is only allowed 'contents: none, pull-requests: none'.

Root Cause

The calling workflow doesn't provide sufficient permissions for the reusable workflow's job-level permissions to inherit from.

Solution

Following hardened security practices with job-level permissions (principle of least privilege):

1. Set workflow-level permissions to permissions: {}
2. Add job-level permissions only for the stale job:

permissions: {}

jobs:
  stale:
    permissions:
      contents: read
      issues: write
      pull-requests: write
    uses: cpp-linter/.github/.github/workflows/stale.yml@main

Related

• Original PR: fix: add permissions section to stale.yml workflow .github#55
• Comment: fix: add permissions section to stale.yml workflow .github#55 (comment)

[2bndy5]

@coderabbitai Please submit a PR to resolve this. Your proposal seems correct and desirable.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

I understand you'd like me to create a PR to fix the stale workflow permissions issue. Let me first examine the current workflow file to provide you with the exact solution.

---

🏁 Script executed:

#!/bin/bash
# Find and examine the stale workflow file
fd -t f stale.yml .github/workflows/
cat .github/workflows/stale.yml

Length of output: 202

---

@2bndy5, I can see the current stale workflow file and understand exactly what needs to be fixed. However, I should clarify that I cannot directly create pull requests or commit code to repositories, as per my operational guidelines.

Instead, I can provide you with the exact solution that needs to be implemented:

Current .github/workflows/stale.yml:

name: 'Close stale issues'
on:
  schedule:
    - cron: '30 1 * * *'
permissions:
  issues: write

jobs:
  stale:
    uses: cpp-linter/.github/.github/workflows/stale.yml@main

Fixed .github/workflows/stale.yml:

name: 'Close stale issues'
on:
  schedule:
    - cron: '30 1 * * *'
permissions: {}

jobs:
  stale:
    permissions:
      contents: read
      issues: write
      pull-requests: write
    uses: cpp-linter/.github/.github/workflows/stale.yml@main

Changes made:

1. Changed workflow-level permissions: issues: write to permissions: {}
2. Added job-level permissions with contents: read, issues: write, and pull-requests: write

This follows the principle of least privilege by granting permissions only at the job level where they're needed, and provides all the permissions required by the reusable workflow (contents: read, pull-requests: write) plus the existing issues: write permission.

You can create the PR with these changes to resolve the workflow compatibility issue.

---

🧠 Learnings used

Learnt from: 2bndy5
PR: cpp-linter/cpp-linter-action#320
File: .github/workflows/release.yml:18-20
Timestamp: 2025-08-28T09:02:32.154Z
Learning: The release.yml workflow in cpp-linter-action only performs git tag operations (checkout, tag creation/update, and force push) and does not create or modify any files in the repository. The contents: write permission is sufficient for this workflow's tag management functionality.

[2bndy5]

However, I should clarify that I cannot directly create pull requests or commit code to repositories, as per my operational guidelines.

Looks like a job for copilot