fix(ci): unblock the release workflow (reusable-workflow permission startup failure)

[SamErde]

Why

Release-and-Publish startup_failed on both pull_request: closed (run 26821404801) and workflow_dispatch (run 26821603517) after #228 merged, so 2.2.0 never published. A startup failure means the workflow file is rejected before any job runs.

Root cause

#228 added a changes job to the reusable Build Module.yml that declares:

permissions:
  contents: read
  pull-requests: read

Release-and-Publish.yml calls that workflow via uses: ./.github/workflows/Build Module.yml, and its build-and-test caller granted only contents: read + security-events: write.

A reusable workflow's jobs may not request permissions the caller did not grant (docs: "permissions can only be maintained or reduced—not elevated"). GitHub validates this statically at startup, before any if: skip is evaluated — so even though changes is skipped on the workflow_call (release) path, its excess pull-requests: read request fails the entire run before it starts. That's why both triggers failed deterministically, while direct-PR runs of Build Module.yml (no caller cap) were unaffected. The 2.1.2 release (no changes job) worked.

Fix

Grant pull-requests: read on the build-and-test caller so static validation passes. The permission is unused on the release path (the changes job is skipped there) and is read-only and minimal. Comment added explaining why a future reader must not remove it.

Scope / safety

• CI-only change (.github/workflows/**) — it is excluded from the release path filter, so merging this does not itself publish a gallery version.
• After merge, 2.2.0 is cut by a manual workflow_dispatch of Release-and-Publish (or by the next bundle PR).

Not in this PR

The unresolved Codex P2 on #231 ("include the policy in release triggers") is a separate, valid concern about which future edits trigger a publish. Tracked and replied to on #231; addressed separately so this stays a focused startup fix.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[Copilot]

Pull request overview

Fixes a startup_failure that blocked the 2.2.0 release by adding the pull-requests: read permission to the build-and-test caller job in Release-and-Publish.yml. The reusable Build Module.yml (introduced in #228) declares a changes job with pull-requests: read, and GitHub validates reusable-workflow permissions statically at startup — so even though the job is skipped on the release path, the missing caller permission rejected the entire workflow.

Changes:

• Grants pull-requests: read to the build-and-test job that calls Build Module.yml.
• Adds a comment explaining why the permission must remain even though it appears unused on the release path.