add pull-requests: read permission to verify-dockerfile workflow

[kernelsam]

The verify-dockerfile-refreshed-at-updated reusable workflow needs pull-requests: read to function correctly with the callers permissions.

[github-actions]

🤖 Claude Code Review

PR Code Review

PR Summary: Adds pull-requests: read permission to the verify-dockerfile-refreshed-at-updated.yaml workflow.

---

Code Quality

• Style guide: Unable to fetch the remote style guide due to permissions, but the change is a single-line YAML addition consistent with the file's existing formatting. ✅
• No commented-out code: No comments present. ✅
• Meaningful variable names: N/A — YAML configuration, not code. ✅
• DRY principle: N/A for this change. ✅
• Defects / Logic errors: The change is correct. The workflow calls a reusable workflow (verify-dockerfile-refreshed-at-updated.yaml@v4) that likely needs to read PR metadata (e.g., to inspect changed files in the PR). Adding pull-requests: read at the job level is the appropriate way to grant this. The top-level permissions: {} correctly locks down default permissions, and the job-level override is the right pattern. ✅
• CLAUDE.md: No issues — the project config is not impacted by this workflow-only change. ✅

---

Testing

• Unit/integration tests: N/A — this is a CI workflow configuration change, not application code. ✅

---

Documentation

• README updated: N/A — no user-facing behavior changed. ✅
• API docs: N/A. ✅
• Inline comments: N/A for this change. ✅
• CHANGELOG.md: Not updated, but this is a minor CI infrastructure fix; acceptable. ✅
• Markdown formatting: N/A — YAML file, not Markdown. ✅

---

Security

• No hardcoded credentials: None present. ✅
• Input validation: N/A. ✅
• Proper error handling: N/A. ✅
• No sensitive data in logs: N/A. ✅
• License files (.lic): None present. ✅
• Permission scope: The added permission (pull-requests: read) is read-only and narrowly scoped at the job level. The top-level permissions: {} ensures no implicit permissions are granted elsewhere in the workflow. This follows the principle of least privilege. ✅

---

Summary

This is a minimal, correct, and well-scoped change. The pull-requests: read permission is needed for the reusable workflow to access PR context (e.g., comparing changed files against the PR diff). No issues found.

Verdict: Approved ✅

Automated code review analyzing defects and coding standards

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter