Enabling GitHub attestations results in overly broad permissions #2133
Description
Currently, when github-attestations = true, release.yml ends up having a permission structure like shown below
name: Release
permissions:
"attestations": "write"
"contents": "write"
"id-token": "write"
...
jobs:
...In practice, having attestations and id-token write at the workflow level is considered bad practice per zizmor.
Ideally, these permissions should be set at the corresponding job that generates attestations instead. For example,
...
build-local-artifacts:
...
permissions:
"attestations": "write"
"contents": "read"
"id-token": "write"
steps:
...or
host:
...
permissions:
"attestations": "write"
"contents": "write"
"id-token": "write"
steps:
...Since these are builtin jobs, I believe these permissions would not need to be exposed to the end-user for configurability.