A simple workflow to pull the repo

[TapdancingRodent]

This is a test of logging of the id-token permission on GitHub Runners

[TapdancingRodent]

With default settings, a checkout succeeds and permissions are reported as

GITHUB_TOKEN Permissions
  Contents: read
  Metadata: read
  Packages: read

[TapdancingRodent]

With write permissions in workflows, a checkout succeeds and permissions are reported as

GITHUB_TOKEN Permissions
  Actions: write
  Attestations: write
  Checks: write
  Contents: write
  Deployments: write
  Discussions: write
  Issues: write
  Metadata: read
  Packages: write
  Pages: write
  PullRequests: write
  RepositoryProjects: write
  SecurityEvents: write
  Statuses: write

[TapdancingRodent]

With only the id-token permission set, a checkout (mysteriously) succeeds and permissions are reported as

GITHUB_TOKEN Permissions
  Metadata: read

[TapdancingRodent]

With contents and id-token permissions set, a checkout succeeds and permissions are reported as

GITHUB_TOKEN Permissions
  Contents: read
  Metadata: read

[TapdancingRodent]

Addendum: neither the Attestations or Discussions token permissions logged in the workflow runs appear to be documented