ci: add permission comments and remove redundant comments from workflows

[hrzlgnm]

Summary

• Add contents: read permission with comment to winget-reusable.yml (has release trigger)
• Remove redundant "No special permissions needed" comments from reusable workflows
• Permissions are set by caller for reusable workflows (as per AGENTS.md)

Summary by CodeRabbit

• Chores
  • Updated CI/CD workflow configurations to adjust declared job permissions and clarify intent with inline comments.
  • Removed or tightened some workflow permission declarations and added a few read-only permissions to reduce scope.
  • Cosmetic formatting and comment improvements across workflow files to improve maintainability and auditability.

[hrzlgnm]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 717a2cf3-f660-4706-a34e-81f78933989d

📥 Commits

Reviewing files that changed from the base of the PR and between d20dd2a and e31cd82.

📒 Files selected for processing (4)

• .github/workflows/aur-reusable.yml
• .github/workflows/ci.yml
• .github/workflows/release.yml
• .github/workflows/winget-reusable.yml

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/winget-reusable.yml
• .github/workflows/ci.yml

---

📝 Walkthrough

Walkthrough

Reorganized GitHub Actions permissions across reusable and CI workflows: several top-level permission blocks were removed, one publish job gained contents: read, and some permission entries were reformatted with explanatory comments. No runtime logic or job steps were changed. (41 words)

Changes

Cohort / File(s)	Summary
Permissions Removed .github/workflows/asset-checksums-reusable.yml, .github/workflows/publish-sbom-reusable.yml, .github/workflows/source-checksums-reusable.yml	Removed top-level permissions blocks that previously granted contents: write and/or other explicit permissions. No other workflow steps modified.
Permissions Adjusted .github/workflows/aur-reusable.yml	Removed a per-job packages: read permission in update-aur job; retained release-info job permission with an inline comment.
Permission Added .github/workflows/winget-reusable.yml	Added a permissions block to the publish job granting contents: read with an inline comment.
Formatting & Comments .github/workflows/ci.yml, .github/workflows/release.yml	Reflowed permission declarations to multi-line entries and added inline explanatory comments; no permission key/value changes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• fix: upload sbom to release in workflow_call context #1913 — Overlaps on publish-sbom-reusable.yml permissions (adds contents: write/actions: read), directly contrasts removals here.
• refactor: consolidate release workflows into single unified workflow #1878 — Edits the same reusable workflow files and permission metadata; closely related changeset.

Suggested labels

chore

Poem

Oh boy, they trimmed the scopes and left a note,
Comments whisper why the keys were wrote.
Permissions pruned, the workflows stay the same—
Neat little fences around each tiny flame. 🔐✨

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: adding permission comments to workflows and removing redundant comments from reusable workflows, with secondary adjustments to permissions themselves.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/workflows

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/aur-reusable.yml:
- Around line 34-36: The workflow's update-aur job unnecessarily requests
packages: read permission; remove the packages: read entry from the update-aur
job's permissions block (and any accompanying comment claiming it's "to read
release info from GitHub Packages") because that job consumes outputs from the
previous job and only performs curl checksum fetches and AUR publishing; update
the comment (or delete it) to reflect the true rationale or omit it entirely to
avoid misleading documentation.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6026ff90-7efb-45c3-a2a1-9cf1763464fb

📥 Commits

Reviewing files that changed from the base of the PR and between 85b235d and d20dd2a.

📒 Files selected for processing (7)

• .github/workflows/asset-checksums-reusable.yml
• .github/workflows/aur-reusable.yml
• .github/workflows/ci.yml
• .github/workflows/publish-sbom-reusable.yml
• .github/workflows/release.yml
• .github/workflows/source-checksums-reusable.yml
• .github/workflows/winget-reusable.yml

💤 Files with no reviewable changes (3)

• .github/workflows/source-checksums-reusable.yml
• .github/workflows/asset-checksums-reusable.yml
• .github/workflows/publish-sbom-reusable.yml

[hrzlgnm]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[hrzlgnm]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.