Fix permissions for reusable workflows

Moved permissions from job level to workflow level to properly inherit permissions when workflows are called from other repositories.

Author: Kyle-Ye

.github/workflows/claude.yml

@@ -18,6 +18,13 @@ on:
   # pull_request_review:
   #   types: [submitted]
 
+permissions:
+  contents: read
+  pull-requests: read
+  issues: read
+  id-token: write
+  actions: read
+
 jobs:
   claude:
     if: |
@@ -26,12 +33,6 @@ jobs:
       (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
       (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      pull-requests: read
-      issues: read
-      id-token: write
-      actions: read # Required for Claude to read CI results on PRs
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4

.github/workflows/issue-triage.yml

@@ -14,13 +14,14 @@ on:
   # issues:
   #   types: [opened]
 
+permissions:
+  contents: read
+  issues: write
+
 jobs:
   triage-issue:
     runs-on: ubuntu-latest
     timeout-minutes: 10
-    permissions:
-      contents: read
-      issues: write
 
     steps:
       - name: Checkout repository