fix: remove id-token, propigate content read for release intergration

Author: reggi

.github/workflows/release-integration.yml

@@ -29,8 +29,6 @@ jobs:
  defaults:
  run:
  shell: bash
- permissions:
- id-token: write
  steps:
  - name: Checkout
  uses: actions/checkout@v4

.github/workflows/release.yml

@@ -244,7 +244,7 @@ jobs:
  if: needs.release.outputs.releases
  uses: ./.github/workflows/release-integration.yml
  permissions:
- id-token: write
+ contents: read
  secrets:
  PUBLISH_TOKEN: ${{ secrets.PUBLISH_TOKEN }}
  with:

lib/content/_job-release-integration-yml.hbs

@@ -3,10 +3,6 @@ runs-on: ubuntu-latest
 defaults:
  run:
  shell: bash
-{{#if publish}}
-permissions:
- id-token: write
-{{/if}}
 steps:
  {{#if publish}}
  {{> stepsSetupYml jobCheckout=(obj ref="${{ fromJSON(inputs.releases)[0].tagName }}") }}

lib/content/release-yml.hbs

@@ -186,7 +186,7 @@ jobs:
  uses: ./.github/workflows/release-integration.yml
  {{#if publish}}
  permissions:
- id-token: write
+ contents: read
  secrets:
  PUBLISH_TOKEN: $\{{ secrets.PUBLISH_TOKEN }}
  {{/if}}