Fix GitHub Actions workflow permissions

In contrast to DT v4.x, we're currently publishing our images to ghcr.io instead of Docker Hub. For this, we need the `package: write` permission.

Further, port DependencyTrack/dependency-track@ba51b5c.

Signed-off-by: nscuro <[email protected]>

.github/workflows/_meta-build.yaml

@@ -59,6 +59,7 @@ jobs:
   build-container:
     runs-on: ubuntu-latest
     permissions:
+      packages: write # Required to push images to ghcr.io
       security-events: write # Required to upload trivy's SARIF output
     needs:
       - build-java

.github/workflows/ci-build.yaml

@@ -25,6 +25,7 @@ jobs:
       app-version: "snapshot"
       publish-container: ${{ github.ref == 'refs/heads/main' }}
     permissions:
+      packages: write # Required to push images to ghcr.io
       security-events: write # Required to upload trivy's SARIF output
     secrets:
       registry-0-usr: ${{ github.repository_owner }}

.github/workflows/ci-publish.yaml

@@ -39,6 +39,7 @@ jobs:
       app-version: ${{ needs.read-version.outputs.version }}
       publish-container: true
     permissions:
+      packages: write # Required to push images to ghcr.io
       security-events: write # Required to upload trivy's SARIF output
     secrets:
       registry-0-usr: ${{ github.repository_owner }}

.github/workflows/ci-release.yaml

@@ -38,6 +38,10 @@ jobs:
 
   create-release:
     runs-on: ubuntu-latest
+    permissions:
+      # Required for pushing changes via git command (rather than via GitHub API).
+      # TODO: Use bot credentials for git, or rewrite the "Commit Version" step to use API instead.
+      contents: write
     needs:
       - prepare-release