ci: grant id-token: write in reusable-workflow callers (CORE-687)

test-all-warehouses.yml and test-release.yml call test-warehouse.yml as
a reusable workflow. Per GitHub, id-token: write must be granted by the
calling workflow — declaring it only on the called workflow's job is
not sufficient. Add the permission to the relevant caller jobs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: haritamar

.github/workflows/test-all-warehouses.yml

@@ -78,6 +78,12 @@ jobs:
 
   test:
     needs: [check-fork-status, approve-fork]
+    permissions:
+      contents: read
+      # Required so the called test-warehouse.yml can mint an OIDC token to
+      # assume the AWS role; per GitHub, id-token: write must be granted by
+      # the calling workflow.
+      id-token: write
     if: |
       ! cancelled() &&
       needs.check-fork-status.result == 'success' &&

.github/workflows/test-release.yml

@@ -43,6 +43,12 @@ jobs:
           echo "dbt bumped: ${{ steps.bump-tag.outputs.dbt-bumped }}"
 
   validate-upgrade-cli:
+    permissions:
+      contents: read
+      # Required so the called test-warehouse.yml can mint an OIDC token to
+      # assume the AWS role; per GitHub, id-token: write must be granted by
+      # the calling workflow.
+      id-token: write
     strategy:
       fail-fast: false
       matrix: