Enabling GitHub attestations results in overly broad permissions

[samypr100]

Currently, when github-attestations = true, release.yml ends up having a permission structure like shown below

name: Release

permissions:
  "attestations": "write"
  "contents": "write"
  "id-token": "write"

...

jobs:

...

In practice, having attestations and id-token write at the workflow level is considered bad practice per zizmor.

Ideally, these permissions should be set at the corresponding job that generates attestations instead. For example,

...
build-local-artifacts:
...
    permissions:
      "attestations": "write"
      "contents": "read"
      "id-token": "write"
    steps:
...

or

host:
...
    permissions:
      "attestations": "write"
      "contents": "write"
      "id-token": "write"
    steps:
...

Since these are builtin jobs, I believe these permissions would not need to be exposed to the end-user for configurability.