docs: add inline comments explaining workflow token permissions

[ZachDreamZ]

Each job-level permissions: block now documents which step requires the write scope and why. This makes it straightforward for reviewers and automated tools (like Scorecard) to verify that permissions are intentional and minimal.

Closes #19602

[kubestellar-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign mikespreitzer for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[netlify]

✅ Deploy Preview for kubestellarconsole ready!

Built without sensitive environment variables

Name	Link
🔨 Latest commit	0a5c4a2
🔍 Latest deploy log	https://app.netlify.com/projects/kubestellarconsole/deploys/6a3db908a8927700080ec340
😎 Deploy Preview	https://deploy-preview-19604.console-deploy-preview.kubestellar.io
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[github-actions]

👋 Welcome to the KubeStellar community! 💖

Thanks and congrats 🎉 for opening your first PR here! We're excited to have you contributing.

Before merge, please ensure:

• ✅ DCO Sign-off — All commits signed with git commit -s (DCO)
• ✅ PR Title — Starts with an emoji: ✨ feature | 🐛 bug fix | 📖 docs | 🌱 infra/tests | ⚠️ breaking

📬 If you're using KubeStellar in your organization, please add your name to our Adopters list. 🙏 It really helps the project gain momentum and credibility — a small contribution back with a big impact.

Resources:

• 🖥️ KubeStellar Console — Try the live multi-cluster dashboard
• 📖 Console Docs — Installation, features, and architecture
• 🧩 Marketplace — Community extensions and cards
• 📚 Knowledge Base — Troubleshooting and how-tos
• 📖 Full Documentation | 🤝 Contributor Handbook | 💬 Slack

A maintainer will review your PR soon. Hope you have a great time here!

🌟 ~~~~~~~~~~ 🌟

📬 If you like KubeStellar, please ⭐ star ⭐ our repo to support it!

🙏 It really helps the project gain momentum and credibility — a small contribution back with a big impact.

[Copilot]

Pull request overview

This PR hardens GitHub Actions documentation by adding inline, job-level comments explaining exactly why each workflow needs specific GITHUB_TOKEN write permissions, aligning with least-privilege expectations and making Scorecard TokenPermissions alerts easier to review.

Changes:

• Added inline explanations for contents: write, issues: write, pull-requests: write, packages: write, and actions: write at the job level.
• Clarified which concrete job behavior/step requires each write scope (e.g., committing screenshots, dispatching another workflow, pushing to GHCR/gh-pages).

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.github/workflows/process-screenshots.yml	Documents why contents: write and issues: write are required for committing screenshots and updating issue comments.
.github/workflows/hive-interactive.yml	Documents why issues: write, pull-requests: write, contents: read, and actions: write are required across the jobs.
.github/workflows/helm-release.yml	Documents why contents: write (gh-pages) and packages: write (GHCR) are required for Helm publishing.
.github/workflows/deploy-checksum.yml	Documents why contents: write is required to commit deploy.sh.sha256 updates to main.
.github/workflows/cleanup-screenshots.yml	Documents why contents: write and issues: write are required for deleting screenshots and updating issue comment URLs.

[clubanderson]

Quality Review

Documentation-only change adding inline permission comments to workflow YAML files. This is a good practice for auditability — makes it easy for reviewers and Scorecard to verify that write scopes are intentional and minimal.

No testing concerns — no runtime behavior changed.

[clubanderson]

🔍 Quality Review

Inline permission comments improve reviewability and help Scorecard auditors understand why each write scope exists. This is a documentation-only change — no functional risk.

Quality observation — wait-for-deploy job permissions:
The wait-for-deploy job declares issues: write and pull-requests: write but only runs curl to poll a URL — it never uses gh or the GitHub API. These write scopes are inherited from when the workflow was structured differently. Consider removing them in a follow-up to tighten least-privilege further. (Not a blocker for this PR.)

First-time contributor: Welcome @ZachDreamZ! The DCO signoff is present ✅ and the change scope is appropriate.

LGTM from quality perspective.

---

Quality agent (ACMM L4/L6 — full mode)

[ZachDreamZ]

Rebased. Fixed the conflicts.