chore(ci): refactor more workflows to scope permissions (#1979)

* chore(ci): refactor more workflows to scope permissions

* chore(ci): revert change

* chore(ci): add scoped id-token

Author: dreamorosi

Diff for: .github/workflows/make-v2-release.yml

@@ -15,7 +15,6 @@ jobs:
     # Needed as recommended by npm docs on publishing with provenance https://docs.npmjs.com/generating-provenance-statements
     permissions:
       id-token: write
-      contents: write
     environment: Release
     runs-on: ubuntu-latest
     outputs:

Diff for: .github/workflows/on_doc_merge.yml

@@ -14,10 +14,9 @@ permissions:
 jobs:
   release-docs:
     permissions:
-      actions: write
-      id-token: write
+      id-token: write  # trade JWT token for AWS credentials in AWS Docs account
     secrets: inherit
-    uses: ./.github/workflows/reusable-publish-docs.yml
+    uses: ./.github/workflows/reusable_publish_docs.yml
     with:
       version: main
       alias: stage

Diff for: .github/workflows/publish_layer.yml

@@ -1,9 +1,7 @@
 name: Deploy layer to all regions
 
 permissions:
-  id-token: write
   contents: write
-  pages: write
 
 on:
   # Manual trigger
@@ -57,6 +55,8 @@ jobs:
     needs:
       - build-layer
     uses: ./.github/workflows/reusable_deploy_layer_stack.yml
+    permissions:
+      id-token: write
     with:
       stage: "BETA"
       artifact-name: "cdk-layer-artifact"
@@ -69,6 +69,8 @@ jobs:
     needs:
       - deploy-beta
     uses: ./.github/workflows/reusable_deploy_layer_stack.yml
+    permissions:
+      id-token: write
     with:
       stage: "PROD"
       artifact-name: "cdk-layer-artifact"
@@ -95,11 +97,9 @@ jobs:
   release-docs:
     needs: [ deploy-prod, prepare_docs_alias ]
     permissions:
-      contents: write
-      pages: write
       id-token: write
     secrets: inherit
-    uses: ./.github/workflows/reusable-publish-docs.yml
+    uses: ./.github/workflows/reusable_publish_docs.yml
     with:
       version: ${{ inputs.latest_published_version }}
       alias: ${{ needs.prepare_docs_alias.outputs.DOCS_ALIAS }}

Diff for: .github/workflows/rebuild_latest_docs.yml

@@ -28,7 +28,6 @@ permissions:
 jobs:
   release-docs:
     permissions:
-      actions: write # upload artifacts (for debugging issues with the docs build)
       id-token: write  # trade JWT token for AWS credentials in AWS Docs account
     secrets: inherit
     uses: ./.github/workflows/reusable_publish_docs.yml

Diff for: .github/workflows/reusable_publish_docs.yml

@@ -47,7 +47,6 @@ jobs:
     runs-on: ubuntu-latest
     environment: Docs
     permissions:
-      actions: write # upload artifacts (for debugging issues with the docs build)
       id-token: write  # trade JWT token for AWS credentials in AWS Docs account
     steps:
       - name: Checkout code