[ci] Explicitly declare permissions and limit credentials (#15324)

Authored by: bashonly

.github/workflows/release-master.yml

@@ -14,28 +14,28 @@ on:
       - ".github/workflows/release-master.yml"
 concurrency:
   group: release-master
-permissions:
-  contents: read
+
+permissions: {}
 
 jobs:
   release:
     if: vars.BUILD_MASTER
+    permissions:
+      contents: write
+      id-token: write  # mandatory for trusted publishing
     uses: ./.github/workflows/release.yml
     with:
       prerelease: true
       source: ${{ (github.repository != 'yt-dlp/yt-dlp' && vars.MASTER_ARCHIVE_REPO) || 'master' }}
       target: 'master'
-    permissions:
-      contents: write
-      id-token: write  # mandatory for trusted publishing
     secrets: inherit
 
   publish_pypi:
     needs: [release]
     if: vars.MASTER_PYPI_PROJECT
-    runs-on: ubuntu-latest
     permissions:
       id-token: write  # mandatory for trusted publishing
+    runs-on: ubuntu-latest
     steps:
       - name: Download artifacts
         uses: actions/download-artifact@v7