fix: add explicit GITHUB_TOKEN permissions to workflows (#74)

* fix: add explicit GITHUB_TOKEN permissions to workflows (closes #73)

Lock down GITHUB_TOKEN to minimum required permissions per job,
following principle of least privilege (CodeQL alerts #1, #2, #3).

ci.yml:       contents: read, pull-requests: write
preview.yml:  deploy_preview: contents: read + pull-requests: write
              close_preview:  pull-requests: write only (no checkout)

deploy.yml already had explicit permissions and is unchanged.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: skip coverage comment steps when no coverage files are generated

When a PR only changes non-code files (e.g. workflow YAML), nx affected
runs no tests so no coverage XML is produced and code-coverage-results.md
is never created. The sticky-pull-request-comment step then fails with
'Either message or path input is required'.

- Add continue-on-error to CodeCoverageSummary (graceful no-op)
- Add a Check step that sets coverage.outputs.exists
- Gate annotate, summary, and comment steps on that output

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: chrisjwalk-bot

.github/workflows/ci.yml

@@ -9,6 +9,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+  pull-requests: write # sticky-pull-request-comment
+
 jobs:
   ci:
     runs-on: ubuntu-latest
@@ -83,6 +87,7 @@ jobs:
 
       - name: Coverage summary
         if: always()
+        continue-on-error: true # no coverage files on PRs with no code changes
         uses: irongut/CodeCoverageSummary@v1.3.0
         with:
           filename: coverage/**/cobertura-coverage.xml
@@ -92,8 +97,14 @@ jobs:
           output: both
           thresholds: '60 80'
 
+      - name: Check for coverage results
+        id: coverage
+        if: always()
+        run: |
+          [ -f code-coverage-results.md ] && echo "exists=true" >> $GITHUB_OUTPUT || echo "exists=false" >> $GITHUB_OUTPUT
+
       - name: Annotate coverage report
-        if: always() && github.event_name == 'pull_request'
+        if: always() && github.event_name == 'pull_request' && steps.coverage.outputs.exists == 'true'
         run: |
           echo "> [!NOTE]" > coverage-note.md
           echo "> Coverage shown for **affected projects only**. Per-file thresholds (80%) are enforced by vitest." >> coverage-note.md
@@ -102,11 +113,11 @@ jobs:
           mv coverage-note.md code-coverage-results.md
 
       - name: Write coverage to job summary
-        if: always()
+        if: always() && steps.coverage.outputs.exists == 'true'
         run: cat code-coverage-results.md >> $GITHUB_STEP_SUMMARY
 
       - name: Add coverage PR comment
-        if: always() && github.event_name == 'pull_request'
+        if: always() && github.event_name == 'pull_request' && steps.coverage.outputs.exists == 'true'
         uses: marocchino/sticky-pull-request-comment@v2
         with:
           recreate: true

.github/workflows/preview.yml

@@ -14,6 +14,9 @@ jobs:
     if: github.event.action != 'closed'
     name: Deploy Preview
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write # SWA deploy posts preview URL comment
     steps:
       - uses: actions/checkout@v4
 
@@ -49,6 +52,8 @@ jobs:
     if: github.event.action == 'closed'
     name: Close Preview
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write # SWA close action updates PR status
     steps:
       - name: Close staging environment
         uses: Azure/static-web-apps-deploy@v1