[ITSEC-2280] Update token permissions (#248)

* ITSEC-2280 Add Dependency Review job; Add SBOM signing.

* ITSEC-2280 Update CODEOWNERS to include Product Security on .github

* ITSEC-2280: Fix the dependency review action

Signed-off-by: immutable-art <[email protected]>

* ITSEC-2280 Update permissions for GH attestations

Signed-off-by: immutable-art <[email protected]>

---------

Signed-off-by: immutable-art <[email protected]>

Author: immutable-art

.github/workflows/publish.yaml

@@ -10,7 +10,8 @@ jobs:
     name: Publish to NPM
     runs-on: ubuntu-latest
     permissions:
-      attestations: write
+      id-token: write # Required for GitHub Attestation
+      attestations: write # Required for GitHub Attestation
     steps:
       - name: Checkout
         uses: actions/checkout@v2