fix(ci): grant id-token: write at release-please.yml top level

[theagenticguy]

Summary

Top-level permissions: contents: read in .github/workflows/release-please.yml was capping every job below it. The release job (which fans out to release.yml via workflow_call for the npm-publish step) declared id-token: write and contents: write at its own job level, but those declarations are silently a no-op when not in the top-level set.

Verified by inspecting the failing job's log header:

GITHUB_TOKEN Permissions
  Contents: read
  Metadata: read

id-token: write missing despite being declared at the job level in release.yml.

This is the root cause of every recent npm-publish failure on this repo:

Skipped OIDC: ERR_PNPM_AUTH_TOKEN_EXCHANGE: Failed token exchange request
with body message: Unknown error (status code 404)

The 404 isn't from npm rejecting trust — it's from GitHub returning no OIDC token because id-token: write wasn't actually granted to the runner. Verified all 17 @opencodehub/* packages already have the correct trust relationship (release.yml + theagenticguy/opencodehub) configured on npmjs.com via npm trust list.

Fix

Top-level permissions: is now the union of every permission used by any job, including those reached transitively via workflow_call. Each job continues to narrow to its own least-privilege subset, so Scorecard's Token-Permissions check still passes.

Test plan

• npm trust list @opencodehub/cli → confirms trust relationship exists with workflow release.yml
• Merge this PR. Push to main triggers Release Please workflow.
• release-please opens release PR with version bumps from PR feat!: WASM-only parser path; drop native tree-sitter from runtime #113's feat!:
• Merge release PR → release.yml's npm-publish job → all 17 packages publish with provenance.
• npm view @opencodehub/cli version returns 0.4.0
• npm install -g @opencodehub/cli@latest works on a clean machine

Provenance

Durable lesson persisted: .erpaval/solutions/conventions/workflow-call-permissions-ceiling.md