Standardize permissions with other workflows (#17)

Author: sethvargo

.github/workflows/draft-release.yml

@@ -13,13 +13,12 @@ on:
           - 'minor'
           - 'patch'
 
-permissions:
-  contents: 'read'
-  pull-requests: 'write'
-
 jobs:
   draft-release:
     uses: 'google-github-actions/.github/.github/workflows/draft-release.yml@v3' # ratchet:exclude
+    permissions:
+      contents: 'read'
+      pull-requests: 'write'
     with:
       version_strategy: '${{ github.event.inputs.version_strategy }}'
     secrets:

.github/workflows/publish.yml

@@ -6,14 +6,13 @@ on:
     types:
       - 'published'
 
-permissions:
-  contents: 'read'
-  id-token: 'write'
-  packages: 'write'
-
 jobs:
   publish:
     runs-on: 'ubuntu-latest'
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+      packages: 'write'
 
     steps:
       - name: 'Checkout'

.github/workflows/release.yml

@@ -6,12 +6,12 @@ on:
       - 'main'
       - 'release/**/*'
 
-permissions:
-  contents: 'read'
-  packages: 'write'
-
 jobs:
   release:
     uses: 'google-github-actions/.github/.github/workflows/release.yml@v3' # ratchet:exclude
+    permissions:
+      attestations: 'write'
+      contents: 'write'
+      packages: 'write'
     secrets:
       ACTIONS_BOT_TOKEN: '${{ secrets.ACTIONS_BOT_TOKEN }}'