fix(ci): restore id-token permission and git credentials for release workflow

The CI hardening PRs (#1403, #1412) moved permissions from top-level to
job-level but dropped id-token:write, breaking npm OIDC trusted publishing.
Also restores persist-credentials for git tag push operations.

Co-Authored-By: Claude Opus 4.6 <[email protected]>

Author: sserrata

.github/workflows/release.yaml

@@ -23,11 +23,11 @@ jobs:
     if: ${{ github.repository == 'PaloAltoNetworks/docusaurus-openapi-docs' }}
     permissions:
       contents: write
+      id-token: write
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
-          persist-credentials: false
       - run: |
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
@@ -46,12 +46,12 @@ jobs:
     if: ${{ github.repository == 'PaloAltoNetworks/docusaurus-openapi-docs' && github.ref == 'refs/heads/main' }}
     permissions:
       contents: read
+      id-token: write
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
-          persist-credentials: false
       - name: Check if packages changed
         id: packages_changed
         run: |