fix(ci): release github action needs correct github token permissions

Author: ethan-ozelius-contentful

.contentful/vault-secrets.yaml

@@ -3,7 +3,4 @@ services:
   github-action:
     policies:
       - dependabot
-  circleci:
-    policies:
       - semantic-release-ecosystem
-      - packages-read

.github/workflows/build.yaml

@@ -2,15 +2,31 @@ name: Build
 
 permissions:
   contents: read
+  id-token: write
 
 on:
   workflow_call:
+    secrets:
+      VAULT_URL:
+        required: true
 
 jobs:
   build:
     runs-on: ubuntu-latest
 
     steps:
+      - name: 'Retrieve Secrets from Vault'
+        id: vault
+        uses: hashicorp/[email protected]
+        with:
+          url: ${{ secrets.VAULT_URL }}
+          role: ${{ github.event.repository.name }}-github-action
+          method: jwt
+          path: github-actions
+          exportEnv: false
+          secrets: |
+            github/token/${{ github.event.repository.name }}-semantic-release token | GITHUB_TOKEN;
+    
       - name: Checkout code
         uses: actions/checkout@v5
 

.github/workflows/main.yaml

@@ -8,7 +8,12 @@ on:
 
 jobs:
   build:
+    permissions:
+      contents: read
+      id-token: write
     uses: ./.github/workflows/build.yaml
+    secrets:
+      VAULT_URL: ${{ secrets.VAULT_URL }}
 
   check:
     needs: build