fix: update stale workflow permissions for reusable workflow compatibility

[coderabbitai]

Problem

The stale workflow in this repository is failing due to a permissions mismatch with the reusable workflow at cpp-linter/.github/.github/workflows/stale.yml.

Error from Actions run: https://github.com/cpp-linter/cpp-linter-action/actions/runs/17632456845

Invalid workflow file: .github/workflows/stale.yml#L9
The workflow is not valid. .github/workflows/stale.yml (Line: 9, Col: 3): Error calling workflow 'cpp-linter/.github/.github/workflows/stale.yml@main'. The nested job 'stale' is requesting 'contents: read, pull-requests: write', but is only allowed 'contents: none, pull-requests: none'.

Root Cause

The calling workflow doesn't provide sufficient permissions for the reusable workflow's job-level permissions to inherit from.

Solution

Following hardened security practices with job-level permissions (principle of least privilege):

1. Set workflow-level permissions to permissions: {}
2. Add job-level permissions only for the stale job:

permissions: {}

jobs:
  stale:
    permissions:
      contents: read
      issues: write
      pull-requests: write
    uses: cpp-linter/.github/.github/workflows/stale.yml@main

Related

• Original PR: fix: add permissions section to stale.yml workflow .github#55
• Comment: fix: add permissions section to stale.yml workflow .github#55 (comment)

[shenxianpeng]

closed by #107