In GitHub Actions it’s possible to remove all permissions from the token at the workflow level and then assign them on the job level:
name: Release
permissions: {} # No permissions
on:
push:
branches:
- main
jobs:
release:
permissions:
contents: write
packages: write
id-token: write