Address issues discovered by zizmor

1. Don't persist credentials
2. Scope broader permissions to the specific step

Signed-off-by: Ben Cotton <ben@kusari.dev>

.github/workflows/release.yaml

@@ -21,8 +21,7 @@ on:
 
 permissions:
   actions: read   # for detecting the Github Actions environment.
-  packages: write # To publish container images to GHCR
-  id-token: write # needed for signing the images with GitHub OIDC Token **not production ready**
+  packages: read # To publish container images to GHCR
 
 jobs:
   build-n-release:
@@ -40,6 +39,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # tag=v3
+        with:
+          persist-credentials: false
       - name: Login to GitHub Container Registry
         uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
         with:
@@ -67,6 +68,8 @@ jobs:
           pack build --env NODE_ENV=production ${IMAGE_URI}:${{ github.ref_name }} --builder ${BUILDER} --buildpack ${BUILDPACK} --publish --sbom-output-dir ${BUILDPACK_SBOM_OUTPUT_DIR}
           echo "IMAGE_DIGEST=$(crane digest ${IMAGE_URI}:${{ github.ref_name }})" >> $GITHUB_OUTPUT
       - name: Sign and verify image
+        permissions:
+          packages: write # To publish container images to GHCR
         run: |
           #!/usr/bin/env bash
           set -euo pipefail
@@ -85,6 +88,8 @@ jobs:
     needs: [build-n-release]
     if: startsWith(github.ref, 'refs/tags/')
     uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 # must use semver here
+    permissions:
+      id-token: write # needed for signing the images with GitHub OIDC Token **not production ready**
     with:
       image: ${{ needs.build-n-release.outputs.image }}
       digest: ${{ needs.build-n-release.outputs.digest }}