fix: stale workflow permissions mismatch with reusable workflow

[Copilot]

The stale workflow was failing due to a permissions mismatch with the reusable workflow at cpp-linter/.github/.github/workflows/stale.yml@main. The error indicated that the nested job 'stale' was requesting contents: read, pull-requests: write permissions, but was only allowed contents: none, pull-requests: none.

Problem

The workflow had workflow-level permissions set to only issues: write, but the reusable workflow requires additional permissions (contents: read and pull-requests: write) that weren't being granted to the nested job.

Solution

Updated the stale workflow to follow least privilege security practices:

• Set workflow-level permissions to permissions: {} (empty/minimal)
• Added job-level permissions specifically for the stale job:
  • contents: read - required by the reusable workflow
  • issues: write - retained from original configuration
  • pull-requests: write - required by the reusable workflow

This approach ensures that only the specific job that needs these permissions receives them, rather than granting them at the workflow level, which follows GitHub's security best practices.

Changes

• Modified .github/workflows/stale.yml to use job-level permissions instead of workflow-level permissions
• No functional changes to the stale issue detection and closing behavior

The workflow should now run successfully without permission errors.

This pull request was created as a result of the following prompt from Copilot chat.

The stale workflow in this repository is failing due to a permissions mismatch with the reusable workflow at cpp-linter/.github/.github/workflows/stale.yml. The error indicates that the nested job 'stale' is requesting 'contents: read, pull-requests: write', but is only allowed 'contents: none, pull-requests: none'. To resolve this, update the calling workflow to:

• Set workflow-level permissions to permissions: {}
• Add job-level permissions for the stale job only:

permissions: {}

jobs:
stale:
permissions:
contents: read
issues: write
pull-requests: write
uses: cpp-linter/.github/.github/workflows/stale.yml@main

This change will ensure compatibility with the reusable workflow and follow least privilege security practices.

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.48%. Comparing base (323ef94) to head (705048d).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #107   +/-   ##
=======================================
  Coverage   94.48%   94.48%           
=======================================
  Files           3        3           
  Lines         145      145           
=======================================
  Hits          137      137           
  Misses          8        8           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[shenxianpeng]

After this PR merged, the rerun still failed https://github.com/cpp-linter/cpp-linter-hooks/actions/runs/17632374669

Maybe it needs a new run? cc @2bndy5

[2bndy5]

Yep. A rerun will use the old workflow file before this was merged.