Allow callers to control workflow permissions

.github/workflows/build-and-upload.yml

@@ -29,9 +29,8 @@ on:
         default: true
         type: boolean
 
-permissions:
+# Permissions are intentionally omitted here so callers can choose
-  id-token: write
+# least-privilege (e.g. dev CI uses read-only; releases grant write).
-  contents: write
 
 env:
   NODE_VERSION: 20