ci: fix release-please permissions (#70)

This grants the release-please workflow the correct permissions
(hopefully) for executing the publish docs / packages steps.

More critically, it sets the `target-branch` on the `release-please`
action, which is necessary for the workflow to succeed when run from a
workflow_dispatch call.

Author: cwaldren-ld

.github/workflows/release-please.yml

@@ -6,16 +6,16 @@ on:
     branches:
       - main
 
+
 jobs:
   rockspec-info:
     uses: ./.github/workflows/rockspec-info.yml
 
   release-please:
     runs-on: ubuntu-latest
-
     permissions:
-      contents: write # Contents and pull-requests are for release-please to make releases.
-      pull-requests: write
+      pull-requests: write # Needed to create the release PR
+      contents: write # Needed to generate the release
 
     outputs:
       release_created: ${{ steps.release.outputs.release_created }}
@@ -26,6 +26,7 @@ jobs:
         id: release
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+          target-branch: ${{ github.ref_name }}
 
   update-release-pr:
     needs: release-please
@@ -46,6 +47,8 @@ jobs:
           branch: ${{ needs.release-please.outputs.pr_branch_name }}
 
   publish-docs:
+    permissions:
+      contents: write # Needed to publish to Github Pages
     needs: release-please
     if: ${{ needs.release-please.outputs.release_created == 'true' }}
     runs-on: ubuntu-latest
@@ -60,6 +63,9 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
 
   publish-server:
+    permissions: # Needed for access to the LuaRocks token
+      id-token: write
+      contents: read
     needs: [release-please, rockspec-info]
     if: ${{ needs.release-please.outputs.release_created == 'true' }}
     runs-on: ubuntu-latest
@@ -77,6 +83,9 @@ jobs:
         rockspec: ${{ fromJSON(needs.rockspec-info.outputs.info).server }}
 
   publish-redis:
+    permissions: # Needed for access to the LuaRocks token
+      id-token: write
+      contents: read
     needs: [ publish-server, rockspec-info ]
     runs-on: ubuntu-latest
     steps: