ci(l1,l2): add issues: write permission to AI review caller workflow

[avilagaston9]

Motivation

The AI review workflow (#6106) fails with startup_failure on every run. The caller workflow specified explicit permissions (contents: read, pull-requests: write), which restricts the maximum permissions available to nested reusable workflow jobs. The reusable workflows in lambdaclass/actions require additional permissions:

• Kimi: pull-requests: write (already granted)
• Codex post_feedback job: issues: write
• Claude claude-review job: id-token: write

Missing any of these causes the entire workflow to fail at startup with no logs.

Description

Add the missing issues: write and id-token: write permissions to the caller workflow's permissions block.

Checklist

• Updated STORE_SCHEMA_VERSION (crates/storage/lib.rs) if the PR includes breaking changes to the Store requiring a re-sync.

[Copilot]

Pull request overview

This PR fixes a workflow failure in the AI review workflow by adding the missing issues: write permission. The AI review workflow, introduced in PR #6106, fails with a startup_failure error because the reusable workflow's post_feedback job requires issues: write, but the caller workflow only granted contents: read and pull-requests: write.

Changes:

• Add issues: write permission to the caller workflow permissions block

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR fixes a permission issue causing the AI review workflow to fail with startup_failure errors. The reusable Codex workflow requires issues: write permission for its post_feedback job, but the caller only granted contents: read and pull-requests: write.

• Added issues: write permission to allow nested jobs to post feedback
• This is the minimal change needed to resolve the workflow failure
• The permission scope is appropriate for AI review workflows that need to comment on PRs and issues

Confidence Score: 5/5

• This PR is safe to merge with no risk
• The change is minimal, well-motivated, and directly addresses a documented failure. Adding issues: write permission is the correct solution for workflows that need to post feedback, and the scope is appropriate for AI review functionality.
• No files require special attention

Important Files Changed

Filename	Overview
.github/workflows/pr_ai_review.yaml	Added issues: write permission to fix startup_failure error in nested job

Sequence Diagram

sequenceDiagram
    participant PR as Pull Request Event
    participant Caller as pr_ai_review.yaml
    participant Kimi as ai-review-kimi.yml
    participant Codex as ai-review-codex.yml
    participant Claude as ai-review-claude.yml
    participant GH as GitHub API

    PR->>Caller: Trigger (opened/ready_for_review)
    Note over Caller: permissions:<br/>contents: read<br/>pull-requests: write<br/>issues: write
    
    par Run AI Reviews
        Caller->>Kimi: Call reusable workflow
        Kimi->>GH: Post review comments
        and
        Caller->>Codex: Call reusable workflow
        Codex->>GH: Post feedback (needs issues: write)
        and
        Caller->>Claude: Call reusable workflow
        Claude->>GH: Post review comments
    end
    
    GH-->>PR: AI review feedback posted

Loading

[github-actions]

🤖 Kimi Code Review

Review of PR #6135

File: .github/workflows/pr_ai_review.yaml

Issues Found:

1. Permission escalation concern (Line 23-25):

   • Adding issues: write and id-token: write permissions appears to be unnecessary for a PR review workflow. The id-token: write permission is particularly concerning as it allows the workflow to mint OIDC tokens, which could be a security risk if compromised.

2. Trigger scope expansion (Line 18):

   • Adding synchronize to the pull_request trigger means this workflow will run on every push to the PR branch, which could significantly increase CI load and costs for AI review services.

Recommendations:

1. Remove unnecessary permissions:

   permissions:
     contents: read
     pull-requests: write

2. Consider rate limiting for synchronize events:
   If synchronize is intentionally added, consider adding conditions to limit when the AI review runs (e.g., only on significant changes or when explicitly requested).

3. Document the permission changes:
   If these permissions are genuinely needed, the PR description should explain why issues: write and id-token: write are required for an AI code review workflow.

The changes appear to be workflow configuration rather than core ethrex code, so there are no Ethereum-specific concerns in this diff.

---

Automated review by Kimi (Moonshot AI) · custom prompt

[github-actions]

🤖 Codex Code Review

Focused review on .github/workflows/pr_ai_review.yaml only (no Rust/EVM changes in this PR).

Findings

• Potential secret exposure on issue_comment trigger: The workflow runs with pull-requests: write, issues: write, and repository secrets, but there is no guard in this file to restrict comment authors. If the reusable workflows don’t enforce author_association checks internally, any commenter could trigger jobs that consume secrets. Consider adding an explicit job-level if: check (e.g., github.event.comment.author_association in [OWNER, MEMBER, COLLABORATOR]) or using pull_request_target-style gating. File: .github/workflows/pr_ai_review.yaml:16-26.
• Least-privilege concern: id-token: write is granted but not obviously required by this workflow. If the reusable workflows aren’t using OIDC, drop this permission to reduce token issuance surface. File: .github/workflows/pr_ai_review.yaml:22-26.

Minor/Perf

• synchronize triggers run on every push. If this is intentional, consider adding concurrency to cancel in-flight reviews on rapid pushes to avoid redundant runs. File: .github/workflows/pr_ai_review.yaml:16-18.

If the reusable workflows already enforce author checks and use OIDC, note that in the PR description to avoid confusion.

---

Automated review by OpenAI Codex · custom prompt