Fix release note generation by adding missing permissions

.github/chainguard/self.github.create-draft-release.sts.yaml

@@ -14,5 +14,6 @@ claim_pattern:
 permissions:
   contents: write
   issues: write
+  pull_requests: read
   statuses: read
   actions: read

.github/workflows/_create_draft_release.yml

@@ -40,12 +40,11 @@ jobs:
   create_draft_release:
     runs-on: ubuntu-latest
     environment: publish-debug-symbols-env
-    # These permissions need to map to the ones demanded in create_normal_draft_release.yml and create_hotfix_draft_release.yml
+    # All GitHub API access goes through the dd-octo-sts token; see
+    # .github/chainguard/self.github.create-draft-release.sts.yaml
     permissions:
-      contents: write # create release
-      actions: read # read secrets
-      issues: write # change milestones 
-      id-token: write  # enable GitHub OIDC token issuance for this job
+      contents: read # actions/checkout uses the workflow token to clone
+      id-token: write # required for dd-octo-sts OIDC and NuGet trusted publishing
     env:
       # Have to use external token with explicit workflow permissions because we are creating
       # a release from an arbitrary SHA. For "reasons", the built-in token does not _always_

.github/workflows/create_hotfix_draft_release.yml

@@ -28,12 +28,11 @@ jobs:
     create_hotfix_draft_release:
         needs: check_branch
         uses: ./.github/workflows/_create_draft_release.yml
-        # These permissions need to map to the ones demanded in _create_draft_release.yml
+        # All GitHub API access in the reusable workflow goes through the dd-octo-sts token; see
+        # .github/chainguard/self.github.create-draft-release.sts.yaml
         permissions:
-          contents: write # create release
-          actions: read # read secrets
-          issues: write # change milestones
-          id-token: write  # enable GitHub OIDC token issuance for this job
+          contents: read # actions/checkout uses the workflow token to clone
+          id-token: write # required for dd-octo-sts OIDC and NuGet trusted publishing
         with:
             forced_commit_id: ${{ inputs.forced_commit_id }}
             ignore_gitlab_failures: ${{ inputs.ignore_gitlab_failures }}

.github/workflows/create_normal_draft_release.yml

@@ -28,12 +28,11 @@ jobs:
     create_normal_draft_release:
         needs: check_branch
         uses: ./.github/workflows/_create_draft_release.yml
-        # These permissions need to map to the ones demanded in _create_draft_release.yml
+        # All GitHub API access in the reusable workflow goes through the dd-octo-sts token; see
+        # .github/chainguard/self.github.create-draft-release.sts.yaml
         permissions:
-          contents: write # create release
-          actions: read # read secrets
-          issues: write # change milestones 
-          id-token: write  # enable GitHub OIDC token issuance for this job
+          contents: read # actions/checkout uses the workflow token to clone
+          id-token: write # required for dd-octo-sts OIDC and NuGet trusted publishing
         with:
             forced_commit_id: ${{ inputs.forced_commit_id }}
             ignore_gitlab_failures: ${{ inputs.ignore_gitlab_failures }}