fix: workflow permissions

Author: edisile

.github/workflows/deploy.yaml

@@ -5,6 +5,14 @@ on:
     branches:
       - main
       - staging
+  workflow_call:
+    inputs:
+      environment:
+        description: 'Environment (Production, Staging or Staging API)'
+        required: true
+        type: string
+        # default value is invalid, this will stop the workflow if a wrong input is provided
+        default: "_"
   workflow_dispatch:
     inputs:
       environment:
@@ -63,10 +71,14 @@ jobs:
     # we will dispatch another copy of this workflow to deploy the Staging API env; we invoke the workflow
     # with an input, so `github.event.inputs.environment` won't be "" and the `if` condition above will be
     # false, thus there won't be a recursive loop
-    uses: canonical/snapcraft.io/.github/workflows/deploy.yaml@main
+    uses: canonical/snapcraft.io/.github/workflows/deploy.yaml@staging
+    permissions:
+      contents: read
+      deployments: write
+      packages: write
     with:
       environment: Staging API
     secrets:
       VAULT_APPROLE_ROLE_ID: ${{ secrets.VAULT_APPROLE_ROLE_ID }}
       VAULT_APPROLE_SECRET_ID: ${{ secrets.VAULT_APPROLE_SECRET_ID }}
-      CHARMHUB_TOKEN: ${{ secrets.CHARMHUB_TOKEN }}
+      CHARMHUB_TOKEN: ${{ secrets.CHARMHUB_TOKEN }}