fix: update publish permissions #271

	name: Test

	on:
	# This workflow is triggered on pull requests to the main branch.
	pull_request:
	# milestoned is added here as a workaround for release-please not triggering PR workflows (PRs should be added to a milestone to trigger the workflow).
	types: [milestoned, opened, reopened, synchronize]
	paths-ignore:
	- "**.md"
	- "**.jpg"
	- "**.png"
	- "**.gif"
	- "**.svg"
	- adr/**
	- docs/**
	- .gitignore
	- renovate.json
	- .release-please-config.json
	- release-please-config.json
	- CODEOWNERS
	- LICENSE
	- CONTRIBUTING.md
	- SECURITY.md
	- config/renovate.json5

	# Permissions for the GITHUB_TOKEN used by the workflow.
	permissions:
	contents: read # Allows reading the content of the repository.
	packages: read # Allows reading the content of the repository's packages.
	id-token: write

	jobs:
	check-flavor:
	runs-on: ubuntu-latest
	steps:
	- name: Checkout repository
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

	- name: test-flavor
	uses: ./.github/actions/test-flavor
	id: test-flavor
	outputs:
	upgrade-flavors: ${{ steps.test-flavor.outputs.upgrade-flavors }}

	validate:
	needs: check-flavor
	strategy:
	fail-fast: false
	matrix:
	type: [install, upgrade]
	flavor: [upstream, unicorn, registry1]
	uses: ./.github/workflows/callable-test.yaml
	with:
	upgrade-flavors: ${{ needs.check-flavor.outputs.upgrade-flavors }}
	flavor: ${{ matrix.flavor }}
	type: ${{ matrix.type }}
	secrets: inherit # Inherits all secrets from the parent workflow.

Provide feedback