Add contents:read permission to activation job for checkout step

[Copilot]

The activation job includes a sparse checkout of .github/workflows for timestamp validation but was missing the required contents: read permission.

Changes

• pkg/workflow/compiler_jobs.go: Modified buildActivationJob to always include contents: read in permissions map, conditionally adding reaction permissions (discussions, issues, pull-requests write) when AIReaction is configured
• pkg/workflow/task_and_reaction_permissions_test.go: Updated test to expect contents: read
• pkg/workflow/reaction_none_test.go: Added assertions verifying contents: read present in both reaction-enabled and reaction-disabled scenarios

Result

Activation job now correctly scopes permissions based on workflow needs:

# Without reactions
activation:
  permissions:
    contents: read

# With reactions (command workflows)
activation:
  permissions:
    contents: read
    discussions: write
    issues: write
    pull-requests: write

Original prompt

The activation job should have permissions: contents: read to support checkout of the workflow files.

    runs-on: ubuntu-slim
    permissions: # needs to read contents!
      discussions: write
      issues: write
      pull-requests: write
    outputs:
      comment_id: ${{ steps.react.outputs.comment-id }}
      comment_repo: ${{ steps.react.outputs.comment-repo }}
      comment_url: ${{ steps.react.outputs.comment-url }}
      reaction_id: ${{ steps.react.outputs.reaction-id }}
      text: ${{ steps.compute-text.outputs.text }}
    steps:
      - name: Checkout workflows
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        with:
          sparse-checkout: |
            .github/workflows
          sparse-checkout-cone-mode: false
          fetch-depth: 1
          persist-credentials: false

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Pull Request Overview

This PR adds the contents: read permission to all activation jobs in GitHub Actions workflows. The activation jobs use actions/checkout to perform sparse checkout of the .github/workflows directory for timestamp validation, which requires read access to repository contents.

Key changes:

• Modified compiler_jobs.go to always include contents: read permission in the activation job's permission map
• Updated test files to verify that contents: read permission is present in activation jobs
• Regenerated 70+ workflow lock files with the new contents: read permission in their activation jobs

Reviewed Changes

Copilot reviewed 70 out of 70 changed files in this pull request and generated no comments.

File	Description
pkg/workflow/compiler_jobs.go	Added contents: read to the permissions map for all activation jobs, with explanatory comments
pkg/workflow/task_and_reaction_permissions_test.go	Updated test to check for contents: read permission instead of checking for its absence
pkg/workflow/reaction_none_test.go	Added test assertions to verify contents: read permission exists even when reactions are disabled
.github/workflows/*.lock.yml (70+ files)	Regenerated workflow files with contents: read permission added to activation jobs

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.