CI: Testing oidc

Author: ivgonzalezc

.github/workflows/release.yml

@@ -16,13 +16,14 @@ on:
 
 # Releases need permissions to read and write the repository contents.
 # GitHub considers creating releases and uploading assets as writing contents.
-permissions:
-  contents: write
+permissions: {}
 
 jobs:
 
   unit_test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -48,6 +49,8 @@ jobs:
   # Sonar scan is not required for dependabot PRs
     runs-on: ubuntu-latest
     needs: unit_test
+    permissions:
+      contents: read
     steps:
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -96,6 +99,9 @@ jobs:
   goreleaser:
     runs-on: ubuntu-latest
     needs: [unit_test, sonarqube]
+    permissions:
+      contents: write
+      id-token: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with: