Add explicit permissions to GitHub workflows to follow principle of least privilege

[Copilot]

Problem

Code scanning identified 8 security alerts where GitHub workflow files lacked explicit permissions. Without explicit permissions, workflows inherit repository or organization defaults, which may be overly permissive and violate the principle of least privilege.

The affected workflows were:

• chat-widget-release-manual.yml (alerts Bump cross-fetch from 3.1.4 to 3.1.5 in /chat-widget #19, Modified the version for chat components #12)
• chat-components-pr.yml (alert telemetry issue fixes #18)
• chat-components-release.yml (alerts Fixed LiveChatWidget import since its not default exported and Security link at the bottom #17, Bump node-fetch from 2.6.1 to 2.6.7 in /chat-widget #8)
• chat-components-release-manual.yml (alerts Unable to initialize the chat widget #16, Update component version to unblock VRT tests #7)
• sync-issue-to-ado-work-item.yml (alert Add Code reviewers team #13)

Solution

Added explicit permissions blocks to all affected workflows, granting only the minimum permissions required for each workflow to function:

Release Workflows

For chat-widget-release-manual.yml, chat-components-release.yml, and chat-components-release-manual.yml:

permissions:
  contents: read    # For checkout
  actions: write    # For uploading and downloading artifacts

PR Workflow

For chat-components-pr.yml:

permissions:
  contents: read       # For checkout
  actions: write       # For downloading and uploading artifacts

Issue Sync Workflow

For sync-issue-to-ado-work-item.yml:

permissions:
  issues: read    # For reading issue data to sync to ADO

Security Benefits

✅ Principle of Least Privilege: Each workflow now has only the minimum permissions needed to perform its tasks
✅ Read-only by default: Repository contents are read-only; write access is only granted to artifacts
✅ Explicit and auditable: Permissions are clearly documented in each workflow file
✅ Consistent: Aligns with existing workflows that already follow this pattern (e.g., chat-widget-pr.yml, chat-widget-release.yml)

Functionality Preserved

• ✅ Release workflows can still build, test, and publish packages to npm
• ✅ PR workflows can still upload test failure screenshots
• ✅ Issue sync workflow can still read and sync issues to Azure DevOps
• ✅ No changes to workflow logic or behavior

This change addresses all 8 code scanning alerts while maintaining full functionality of the existing CI/CD pipelines.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Workflow does not contain permissions</issue_title>
<issue_description>Problem
Code scan complains about missing permissions for github workflow actions

issue 1 : https://github.com/microsoft/omnichannel-chat-widget/security/code-scanning/19
component :.github/workflows/chat-widget-release-manual.yml:8

iissue 2 : https://github.com/microsoft/omnichannel-chat-widget/security/code-scanning/18
component : .github/workflows/chat-components-pr.yml:13

issue 3 : https://github.com/microsoft/omnichannel-chat-widget/security/code-scanning/17
compoonent :.github/workflows/chat-components-release.yml:12

issue 4 : https://github.com/microsoft/omnichannel-chat-widget/security/code-scanning/16
componentn : .github/workflows/chat-components-release-manual.yml:8

issue 5: https://github.com/microsoft/omnichannel-chat-widget/security/code-scanning/13
componentn : .github/workflows/sync-issue-to-ado-work-item.yml:12

issue 6: https://github.com/microsoft/omnichannel-chat-widget/security/code-scanning/12
component :
.github/workflows/chat-widget-release-manual.yml:63

issue 7: https://github.com/microsoft/omnichannel-chat-widget/security/code-scanning/8
component : .github/workflows/chat-components-release.yml:67

issue 8 :
https://github.com/microsoft/omnichannel-chat-widget/security/code-scanning/7
.github/workflows/chat-components-release-manual.yml:63

Error
If a GitHub Actions job or workflow has no explicit permissions set, then the repository permissions are used. Repositories created under organizations inherit the organization permissions. The organizations or repositories created before February 2023 have the default permissions set to read-write. Often these permissions do not adhere to the principle of least privilege and can be reduced to read-only, leaving the write permission only to a specific types as issues: write or pull-requests: write.

Expected
Add changes that meet the criteria, without messing wiith functionality, release.yaml should be able to publish and PR jobs should be to download and write to support storybooks </issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #798

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.