fix: Adjust workflow permissions (#1307)

Signed-off-by: Marcelo E. Magallon <marcelo.magallon@grafana.com>

Author: mem

.github/workflows/build_and_publish.yaml

@@ -6,7 +6,6 @@ on:
         type: string
 
 permissions:
-  contents: none
   packages: none
 
 jobs:
@@ -15,6 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
+      id-token: none
     outputs:
       repo_name: ${{ steps.info.outputs.repo_name }}
     steps:
@@ -43,6 +43,7 @@ jobs:
     runs-on: github-hosted-ubuntu-${{ matrix.arch }}
     permissions:
       contents: write # needed to upload build artifacts
+      id-token: none
 
     container:
       image: ghcr.io/grafana/grafana-build-tools:v0.40.3@sha256:1e112c01108b888ae64e786e6d13a8e46c02884f94ccf784ad646d906ac97254
@@ -319,6 +320,7 @@ jobs:
     runs-on: github-hosted-ubuntu-x64-small
     permissions:
       contents: read
+      id-token: none
     steps:
       # The following two steps are needed because trigger-argo-workflow is
       # calling setup-go *after* setup-argo, and setup-argo actually needs go

.github/workflows/build_and_publish_main.yaml

@@ -5,13 +5,15 @@ on:
     branches:
       - main
 
-# This is needed so that pushing to GAR works.
 permissions:
   contents: none
   packages: none
 
 jobs:
   call_build_and_publish:
+    permissions:
+      contents: write # Necessary to publish artifacts
+      id-token: write # Necessary to publish to GAR
     uses: ./.github/workflows/build_and_publish.yaml
     with:
       mode: dev

.github/workflows/build_and_publish_tag.yaml

@@ -12,6 +12,9 @@ permissions:
 
 jobs:
   call_build_and_publish:
+    permissions:
+      contents: write # Necessary to publish artifacts
+      id-token: write # Necessary to publish to GAR
     uses: ./.github/workflows/build_and_publish.yaml
     with:
       mode: prod