ci(release): scope App token to current repo + drop contents:write

Author: St0rmz1

.github/actions/setup-git-committer/action.yml

@@ -36,6 +36,13 @@ runs:
         app-id: ${{ inputs['kilo-maintainer-app-id'] }}
         private-key: ${{ inputs['kilo-maintainer-app-secret'] }}
         owner: ${{ github.repository_owner }}
+        # Scope the minted installation token to the current repo
+        # only, even when the kilo-maintainer App is installed on
+        # multiple repos in the org. Without this, the token would
+        # carry the App's full installation scope (e.g. both
+        # shell-security and kilocode) and a compromised workflow
+        # could push to unrelated repos.
+        repositories: ${{ github.event.repository.name }}
 
     - name: Configure git user
       shell: bash

.github/workflows/publish.yml

@@ -34,9 +34,16 @@ concurrency: ${{ github.workflow }}-${{ github.ref }}-${{ inputs.channel }}-${{
 # id-token:write is required for npm provenance (SLSA attestation).
 # This workflow must run on GitHub-hosted runners (not Blacksmith) for
 # provenance to work — GitHub's OIDC token is only issued on their infra.
+#
+# contents: read is sufficient. Post-publish pushes to `main` are
+# authenticated by the kilo-maintainer App token (minted by the
+# setup-git-committer composite action), not by GITHUB_TOKEN. If a
+# future edit accidentally introduces a git/gh call that falls back
+# to GITHUB_TOKEN for a write, we want it to fail loudly here rather
+# than silently succeed with broader privilege.
 permissions:
   id-token: write
-  contents: write
+  contents: read
 
 jobs:
   publish: