feat(github-actions): defined strict permissions for the alpha release workflow

Author: travi

src/semantic-release/ci-providers/github-workflows/release-workflow-for-alpha/scaffolder-test.js

@@ -32,8 +32,15 @@ suite('github release workflow scaffolder', () => {
       .withArgs({
         name: 'Release',
         on: {push: {branches: ['alpha']}},
+        permissions: {contents: 'read'},
         jobs: {
           release: {
+            permissions: {
+              contents: 'write',
+              'id-token': 'write',
+              issues: 'write',
+              'pull-requests': 'write'
+            },
             uses: reusableReleaseWorkflowReference,
             // eslint-disable-next-line no-template-curly-in-string
             secrets: {NPM_TOKEN: '${{ secrets.NPM_PUBLISH_TOKEN }}'}

src/semantic-release/ci-providers/github-workflows/release-workflow-for-alpha/scaffolder.js

@@ -10,8 +10,15 @@ export default async function ({projectRoot, nodeVersion}) {
     config: {
       name: 'Release',
       on: {push: {branches: ['alpha']}},
+      permissions: {contents: 'read'},
       jobs: {
         release: {
+          permissions: {
+            contents: 'write',
+            'id-token': 'write',
+            issues: 'write',
+            'pull-requests': 'write'
+          },
           uses: determineAppropriateWorkflow(nodeVersion),
           // eslint-disable-next-line no-template-curly-in-string
           secrets: {NPM_TOKEN: '${{ secrets.NPM_PUBLISH_TOKEN }}'}