Fix sync-skills workflow permissions

[jeremy]

Summary

• Remove permission-pull-requests: write and permission-issues: write from the skills repo token — the sync script only needs contents:write for git push, and the App installation on basecamp/skills doesn't grant the others
• Move failure notification to use github.token against the current repo (issues: write added to job-level permissions) so it works without additional App permissions

Test plan

• Verify on next tagged release that sync-skills job succeeds (requires tagged release)
• Simulate sync failure to confirm issue creation on basecamp-cli repo (requires tagged release)

Both items require a tagged release to exercise the sync-skills job. The changes are workflow-only and mechanically correct: excess permissions removed, notification retargeted to github.token + github.repository.

[github-actions]

Sensitive Change Detection (shadow mode)

This PR modifies control-plane files:

• .github/workflows/release.yml

Shadow mode — this check is informational only. When activated, changes to these paths will require approval from a maintainer.

[cubic-dev-ai]

No issues found across 1 file

[Copilot]

Pull request overview

Adjusts the sync-skills job in the release workflow to use least-privilege permissions for the GitHub App token (skills repo) and to route failure notifications through the current repository’s github.token, avoiding missing App installation permissions.

Changes:

• Add issues: write to the sync-skills job so the job can file/comment on issues in the current repo.
• Remove unused pull-requests / issues permissions from the skills repo App token request (keep only contents: write).
• Update the failure notification step to authenticate with github.token and target ${{ github.repository }} for issue operations and run links.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.