Fix permissions to enable configure-aws-credentials

See https://github.com/aws-actions/configure-aws-credentials and also
how proof-debugger does it.

.github/workflows/release-brew.yaml

@@ -55,6 +55,8 @@ jobs:
   homebrew-pr:
     name: Homebrew Bump Formula PR
     runs-on: macos-latest
+    permissions:
+      id-token: write
     steps:
       - name: Authenticate GitHub workflow to AWS
         uses: aws-actions/configure-aws-credentials@v4
@@ -84,6 +86,9 @@ jobs:
       matrix:
         os: [ubuntu-latest, macos-latest]
     runs-on: ${{ matrix.os }}
+    permissions:
+      id-token: write
+      contents: write
     steps:
       - name: Set up Homebrew
         id: set-up-homebrew
@@ -100,6 +105,7 @@ jobs:
           echo "BOT_EMAIL=$(aws secretsmanager get-secret-value --secret-id BOT_EMAIL | jq -r '.SecretString')" >> $GITHUB_ENV
           echo "HOMEBREW_GITHUB_API_TOKEN=$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV
           echo "FORK_REPO=https://$HOMEBREW_GITHUB_API_TOKEN@github.com/$BOT_USER/homebrew-$(echo $TAP |cut -d / -f 2).git" >> $GITHUB_ENV
+          echo "GITHUB_TOKEN=$HOMEBREW_GITHUB_API_TOKEN" >> $GITHUB_ENV
 
       - name: Checkout PR
         run: |
@@ -151,6 +157,8 @@ jobs:
   update-pr:
     needs: build-bottle
     runs-on: macos-latest
+    permissions:
+      id-token: write
     steps:
     - uses: actions/download-artifact@v3
       with:

.github/workflows/release-pypi.yaml

@@ -11,34 +11,36 @@ jobs:
   upload-to-pypi:
     name: Upload to PyPi
     runs-on: ubuntu-20.04
+    permissions:
+      id-token: write
+      contents: write
     steps:
       - uses: actions/checkout@v2
       - name: Install dependencies
         run: python3 -m pip install --upgrade pip build setuptools wheel twine
       - name: Build pip package
         run: python3 -m build
+      - name: Authenticate GitHub workflow to AWS
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ env.AWS_ROLE }}
+          aws-region: ${{ env.AWS_REGION }}
+      - name: Fetch secrets
+        run: |
+          echo "GITHUB_TOKEN=$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV
+          echo "TWINE_PASSWORD=$(aws secretsmanager get-secret-value --secret-id PYPI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV
       - name: set asset path and name
         id: get_package_name
         run: |
           package_name="$(ls dist/*.whl | cut -d "/" -f 2)"
           echo "::set-output name=package_name::$package_name"
       - name: Upload release binary
         uses: actions/upload-release-asset@v1.0.2
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           upload_url: ${{ github.event.release.upload_url }}
           asset_path: dist/${{ steps.get_package_name.outputs.package_name }}
           asset_name: ${{ steps.get_package_name.outputs.package_name }}
           asset_content_type: application/zip
-      - name: Authenticate GitHub workflow to AWS
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          role-to-assume: ${{ env.AWS_ROLE }}
-          aws-region: ${{ env.AWS_REGION }}
-      - name: Fetch secrets
-        run: |
-          echo "TWINE_PASSWORD=$(aws secretsmanager get-secret-value --secret-id PYPI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV
       - name: Upload to PyPi
         env:
           TWINE_USERNAME: __token__

.github/workflows/release.yaml

@@ -13,6 +13,9 @@ jobs:
   Release:
     name: CBMC viewer release
     runs-on: ubuntu-20.04
+    permissions:
+      id-token: write
+      contents: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v2