fix: add explicit permissions to GitHub Actions workflows

[FrancesCoronel]

Summary

• Adds permissions: contents: read to chromatic.yml — restricts GITHUB_TOKEN to read-only since this workflow only checks out code and publishes to Chromatic externally
• Adds permissions: contents: write to purge-branch.yml — grants only the write scope needed to delete stale branches
• Resolves CodeQL actions/missing-workflow-permissions alerts for both workflows

Dependabot note

Dependabot alert #106 (elliptic <= 6.6.1, low severity) is a transitive dep from @storybook/nextjs with no upstream patch available — it is dev-only and not included in the production bundle.

Test plan

• Confirm CodeQL workflow permissions scan passes on this PR
• Verify Chromatic workflow still publishes successfully
• Verify purge-branch workflow still deletes/notifies branches on schedule

🤖 Generated with Claude Code

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
latina-dev	Ready	Preview, Comment	Apr 13, 2026 2:18am

[coderabbitai]

Warning

Rate limit exceeded

@FrancesCoronel has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 4 minutes and 56 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 4 minutes and 56 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8285e454-a7ae-4832-b814-174ba725fad2

📥 Commits

Reviewing files that changed from the base of the PR and between 2a23428 and b48ca24.

📒 Files selected for processing (1)

• .github/workflows/purge-branch.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/epic-volhard

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch claude/epic-volhard

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chromatic-com]

Tip

All tests passed and all changes approved!

🟢 UI Tests: 9 tests unchanged
🟢 UI Review: 9 stories published -- no changes
Storybook Publish: 9 stories published