fix: add actions:read permission to retro role

[ralphbean]

Summary

• Adds actions: read permission to the retro role's installation token
• Fixes 403 Forbidden errors when retro agent tries to access workflow run logs and artifacts
• Aligns implementation with design spec that explicitly requires read access to workflow runs and artifacts

Problem

The retro agent was getting 403 Forbidden errors when attempting to:

• Read workflow run logs via gh run view --log
• Download workflow run artifacts

This prevented the agent from performing root cause analysis on agent runs, forcing it to hedge with statements like "cannot confirm definitively without log access (403 Forbidden)".

Evidence from run 25748112694:

• "Logs inaccessible: All run logs return Forbidden, preventing verification of what fullsend post-review actually did"
• "Artifacts inaccessible: Cannot download the fullsend-review artifacts to inspect agent-result.json"

Solution

The token mint service (internal/mint/main.go) defines a rolePermissions map that specifies which GitHub API permissions each agent role receives. The retro role was missing "actions": "read", which is required to access workflow runs and their artifacts.

The design spec (docs/superpowers/specs/2026-05-04-retro-agent-design.md:187) explicitly states:

The retro agent gets its own GitHub App with scoped permissions: read access to repos, issues, PRs, workflow runs, and artifacts

This one-line change adds the missing permission.

Deployment

After merge, the token mint Cloud Function needs to be redeployed with the updated rolePermissions map. Future retro agent runs will then receive tokens with actions: read permission.

Test plan

• Verified the change compiles
• Ran make lint (passes)
• Reviewed design spec to confirm this aligns with intended permissions
• After deployment: verify retro agent can access workflow logs in a test run

Fixes #834

🤖 Generated with Claude Code

[github-actions]

fullsend review is working on this — view logs

[github-actions]

Site preview

Preview: https://a8888937-site.fullsend-ai.workers.dev

Commit: 245dd4dcf0bb40aa78f4277b838df9d4f152adcf

[fullsend-ai-review]

Review: #835

Head SHA: 245dd4d
Timestamp: 2026-05-12T18:00:00Z
Outcome: approve

Summary

This is a correct, minimal fix that adds "actions": "read" to the retro role's permission set in the rolePermissions map. The change directly addresses issue #834 (retro agent 403 Forbidden on workflow logs/artifacts) and aligns with the design spec, which explicitly states the retro agent should have read access to workflow runs and artifacts. The "actions" key is already used by the fullsend role at write level, confirming API compatibility. No security concerns — this grants read-only access consistent with the retro role's read-heavy profile.

Findings

Info

• [missing-test] internal/mint/main.go:682-690 — No unit test asserts the specific permission keys/values for each role in rolePermissions. This is a pre-existing gap not introduced by this PR; the existing tests cover role lookup and token creation flow but don't validate per-role permission sets.

Footer

Outcome: approve
This review applies to SHA 245dd4dcf0bb40aa78f4277b838df9d4f152adcf. Any push to the PR head clears this review and requires a new evaluation.

[ralphbean]

Closing in favor of #828 which now includes this change (cherry-picked).