ci(release): grant SLSA provenance permissions

[CybotTM]

Summary

Grants the two permissions the upstream reusable release workflow at netresearch/skill-repo-skill needs in order to publish a SLSA build-provenance attestation for every release archive.

     permissions:
-      contents: write
-      pull-requests: write
+      contents: write          # release upload
+      id-token: write          # OIDC for sigstore (required by the attest job)
+      attestations: write      # GitHub native attestation API (required by the attest job)

Why

This is part of an org-wide rollout flipping SLSA build-provenance attestations to always on in the reusable release workflow. The first cut shipped the feature behind an opt-in input (with: attest: true); on review, opt-in was the wrong call — every release artefact in the org should have provenance, and the cost of "always on" is a tiny one-time permission grant per consumer (this PR).

Sequencing

This PR lands first. After every consumer of netresearch/skill-repo-skill/.github/workflows/release.yml@main has merged the equivalent change, the upstream will drop the opt-in input and the if: gate so the attest job always runs. No window of broken releases either way: callers that already grant the permissions are forward-compatible.

Test plan

• CI green on this PR
• After upstream removes the opt-in, the next release here will produce SLSA attestations verifiable via gh attestation verify <archive> --owner netresearch

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None