CI: Support configuration of CI permissions (without `allow-dirty`)

[connec]

I'm attempting to integrate a custom job into the cargo-dist CI workflow to build a docker container and push it to GHCR.

I was able to do this without allow-dirty right up to the need to authenticate with the container registry, at which point I had to get the packages: write permission on the GITHUB_TOKEN. Requesting more permissions in a child workflow than are available in the parent workflow leads to errors like:

The nested job 'docker' is requesting 'packages: write', but is only allowed 'packages: none'.

I'm not sure how far it makes sense for cargo-dist to manage CI configuration, but it "feels bad" to turn on allow-dirty.

[Gankra]

Hey! We specifically do give the packages: write permission to custom-publish-jobs (as opposed to custom-build-jobs). Docker images are really annoying because nothing fundamentally prevents building and publishing being split up... random features of docker buildx are just broken if you do :(

So if you can move this to publish, or perhaps do it once in build (and throw out the results) and then once in publish (and use the results), that could work? We were looking a lot into this a few months back and got Very frustrated with docker's limitations here.

[connec]

Aha, I didn't notice that. I'll try to have a look into doing it that way at some point. My Dockerfile is trivially copying in binaries built by cargo-dist so putting it all in publish should be reasonable.

[Gankra]

Oh we landed this a release or two ago!

https://opensource.axo.dev/cargo-dist/book/reference/config.html#github-custom-job-permissions