Change permissions from read to write for contents

[sylveon]

#263 added granular permissions to grant id-token: write (which isn't granted by default). When doing this, I also added contents: read because granular permissions overwrite repo-level permissions, and not having it prevented the workflow from cloning its own repo.

However, the svenstaro/upload-release-action action requires contents: write, which the pipeline no longer had. Change contents to write (which implies read) to fix that.

[pierotofy]

Mm.

By default, these permissions are granted on push but not on pr - and you should be wary of adding them to workflows that run on pr, as they allow wide access to changing the entire repo's contents

https://github.com/svenstaro/upload-release-action?tab=readme-ov-file#permissions

[sylveon]

Previously, the write permission was implied this repository setting, but it didn't grant id-token: write (which is required for Azure Login):

However, now that we're using granular permission to grant id-token: write, it overrides this repo setting, so the permission was no longer implied and contents: read means the GITHUB_TOKEN no longer had write permission.

[pierotofy]

Maybe contents: read needs to be removed?

[sylveon]

Without contents: read, the GITHUB_TOKEN has no permission at all for contents - it can't clone the repo or upload release artifacts.

[pierotofy]

That makes sense. Thanks for the clarification. 🙏