fix(ci): add actions:read to detection job permissions

[Copilot]

The detection job in all agentic workflow .lock.yml files has permissions: {}, which causes download-artifact@v7 to fail with 403 Forbidden when fetching agent-artifacts from the preceding agent job. The agent-output artifact (476B) sometimes succeeds while the larger agent-artifacts (71KB) fails, but the root cause is the missing actions: read permission on the GITHUB_TOKEN.

• Postprocess script (scripts/ci/postprocess-smoke-workflows.ts): Added a regex-based replacement that targets the detection: job's permissions: {} and replaces it with permissions:\n actions: read, without touching the workflow-level permissions: {}. The regex is anchored to the detection: job block to avoid false matches. Idempotent — no-ops on already-fixed files.

• All 28 .lock.yml files: Applied the fix. The change per file is:

# Before
  detection:
    ...
    permissions: {}

# After
  detection:
    ...
    permissions:
      actions: read

This lives in the postprocess script so the fix survives future gh aw compile runs, which always regenerate permissions: {} on the detection job.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>🏥 CI Failuredetection job fails with 403 forbidden downloading agent-artifacts</issue_title>
<issue_description>## Summary

The detection job in the Issue Monster workflow failed when attempting to download the agent-artifacts artifact from the preceding agent job.

Run: #22144629565
Date: 2026-02-18T14:55:47Z
Commit: c419d69

Error

##[error]Unable to download artifact(s): Failed to ListArtifacts: 
Received non-retryable error: Failed request: (403) Forbidden: 
Error from intermediary with HTTP status code 403 "Forbidden"

Root Cause Analysis

Artifact Download Failure:

• ❌ agent-artifacts (71KB) - 403 Forbidden from Azure Blob Storage
• ✅ agent-output (476 bytes) - Downloaded successfully

Both artifacts uploaded by same job, but only the small one can be downloaded.

Cascading Impact:

1. Missing file: /tmp/gh-aw/threat-detection/aw-prompts/prompt.txt
2. setup_threat_detection.cjs script fails
3. Entire detection job fails

Hypotheses

1. Azure Blob Storage Access Control

Error from "intermediary" suggests Azure storage layer is denying access:

• SAS token expiration/invalidation
• Cross-region access restrictions
• Storage account firewall rules

2. Artifact Size Threshold

• Small artifact (476B) succeeds
• Large artifact (71KB) fails
• May indicate quota, rate limiting, or policy restrictions

3. Insufficient Permissions

The detection job has permissions: {} which might be too restrictive:

detection:
  runs-on: ubuntu-latest
  permissions: {}  # May need actions: read

Recommended Actions

1. Immediate: Check if this is a one-time flake or recurring pattern
2. Permissions: Add actions: read permission to detection job
3. Monitoring: Set up alerts for artifact download failures
4. Resilience: Add retry logic with exponential backoff
5. Artifact optimization: Consider splitting or reducing artifact size

Related Context

This is a new failure pattern - distinct from the documented "Issue Monster Permissions" issue (#391) which relates to Copilot agent assignment via GraphQL mutations.

---

🏥 Investigated by CI Doctor

AI generated by CI Doctor

Comments on the Issue (you are @copilot in this section)

• Fixes 🏥 CI Failuredetection job fails with 403 forbidden downloading agent-artifacts #960

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[github-actions]

✅ Smoke Test: PASS

Last 2 merged PRs:

• docs: add api-proxy image publishing details to release guide #954: docs: add api-proxy image publishing details to release guide
• feat(api-proxy): centralize port configuration in types.ts #955: feat(api-proxy): centralize port configuration in types.ts

Test Results:

• ✅ GitHub MCP: Retrieved PR metadata
• ✅ Playwright: GitHub homepage verified ("GitHub" in title)
• ✅ File Write: Created test file at /tmp/gh-aw/agent/smoke-test-copilot-22163959723.txt
• ✅ Bash: File content verified

cc @Mossaka @Copilot

AI generated by Smoke Copilot