ci(runway-ota): add actions: read permission for slack notification cp-7.79.1 cp-7.80.0

[tommasini]

Description

The runway-ota-rc.yml caller workflow was missing the actions: read permission required by the slack-rc-notification.yml reusable workflow.

GitHub Actions enforces that a reusable workflow cannot use permissions that the calling workflow has not already granted. slack-rc-notification.yml declares actions: read (needed by actions/download-artifact@v4 to download the Android Play Store check report), but runway-ota-rc.yml only granted contents: read, pull-requests: read, and id-token: write. This caused the workflow validation step to fail with:

Error calling workflow '…slack-rc-notification.yml…'. The workflow is requesting 'actions: read', but is only allowed 'actions: none'.

The fix adds actions: read to the permissions block in runway-ota-rc.yml.

Changelog

CHANGELOG entry: null

Related issues

Fixes:

Manual testing steps

N/A

Screenshots/Recordings

Before

N/A

After

N/A

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Performance checks (if applicable)

• I've tested on Android
  • Ideally on a mid-range device; emulator is acceptable
• I've tested with a power user scenario
  • Use these power-user SRPs to import wallets with many accounts and tokens
• I've instrumented key operations with Sentry traces for production performance metrics
  • See trace() for usage and addToken for an example

For performance guidelines and tooling, see the Performance Guide.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

Made with Cursor

---

Note

Low Risk
Single CI permission line; no app, auth, or release logic changes.

Overview
Grants actions: read on the Runway OTA RC caller workflow so it can invoke slack-rc-notification.yml without GitHub rejecting the run.

Reusable workflows only get permissions the caller explicitly allows; the Slack workflow needs actions: read for actions/download-artifact@v4 (Android Play Store check report). Without this line, validation fails with actions: none vs actions: read.

^{Reviewed by Cursor Bugbot for commit d8d24e7. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[Cal-L]

LGTM