[BRE-1333] Added permissions to token generation step to limit token scope

[gitclonebrian]

🎟️ Tracking

BRE-1333

📔 Objective

Adding permissions to token generation step to limit token scope per least privilege best practice.
Changes were tested:

• manual workflow run was initiated from this branch
• translations were downloaded
• PR was generated here

📸 Screenshots

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[claude]

Claude finished @gitclonebrian's task —— View job

---

PR Review Complete

Tasks:

• Review PR title and description
• Read changed workflow file
• Perform comprehensive code review
• Create inline comments for findings
• Post summary assessment

---

Summary

This PR implements least-privilege token scoping for the GitHub App token used in the Crowdin Pull workflow. The change is security-positive and follows best practices.

Findings: 0 major, 0 minor, 0 refactoring, 1 improvement, 0 inquiries

Finding 1 🎨: Consider adding permission comment for id-token

The job-level permissions include id-token: write (line 16), which is used for Azure OIDC authentication. While the newly scoped GitHub App token correctly limits its permissions, it would be helpful to add a comment explaining why id-token: write is needed at the job level for consistency with the documentation style you've established.

Example

permissions:
  contents: write        # for checking out the repository
  pull-requests: write   # for the GitHub App to create PRs
  id-token: write        # for Azure OIDC authentication

---

Assessment

✅ Approve with optional improvement

The changes correctly implement least-privilege token scoping:

• Token permissions are explicitly limited to only what's needed
• Comments clearly document the purpose of each permission
• Testing was performed and verified working
• No security concerns introduced

The optional improvement (Finding 1) would enhance consistency but is not required.

---

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.97%. Comparing base (0959284) to head (18f27a6).
⚠️ Report is 38 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6171      +/-   ##
==========================================
+ Coverage   84.89%   84.97%   +0.08%     
==========================================
  Files         724      735      +11     
  Lines       52778    53087     +309     
  Branches     7672     7678       +6     
==========================================
+ Hits        44807    45113     +306     
- Misses       5279     5291      +12     
+ Partials     2692     2683       -9     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

Checkmarx One – Scan Summary & Details – c1737b11-db44-4607-91e5-3d3b58bdcd7b

Great job! No new security vulnerabilities introduced in this pull request