Update release+publish workflows

Per aspect-build/rules_lint#508 on a tip from @alexeagle, resolves a
problem with passing `secrets.PUBLISH_TOKEN` through to the
`publish-to-bcr.yml` workflow.

In that pull request, Alex mentioned manually triggering a workflow run
based on the updated workflows, which generated an attestation:

- https://github.com/aspect-build/rules_lint/actions/runs/14095611671
- https://github.com/aspect-build/rules_lint/attestations/5857159

Here are some examples of GitHub's attestation UI in general:

- https://github.com/aspect-build/rules_lint/attestations

And some relevant GitHub docs:

- https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#using-secrets-in-a-workflow
- https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#secrets-context
- https://docs.github.com/en/actions/sharing-automations/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow
- https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#onworkflow_callsecrets

Author: mbland

.github/workflows/publish-to-bcr.yml

@@ -8,6 +8,10 @@ on:
       tag_name:
         required: true
         type: string
+    secrets:
+      publish_token:
+        required: true
+
   # In case of problems, enable manual dispatch from the GitHub UI.
   workflow_dispatch:
     inputs:
@@ -28,4 +32,4 @@ jobs:
       id-token: write
     secrets:
       # Necessary to push to the BCR fork and open a pull request.
-      publish_token: ${{ secrets.PUBLISH_TOKEN }}
+      publish_token: ${{ secrets.publish_token }}

.github/workflows/release.yml

@@ -6,6 +6,7 @@ on:
   push:
     tags:
       - 'v*.*.*'
+
   # In case of problems, enable manual dispatch from the GitHub UI.
   workflow_dispatch:
     inputs:
@@ -16,24 +17,26 @@ on:
 # Based on the following, which uses the `release_ruleset` workflow to generate
 # provenance attestation files referenced by the `publish-to-bcr` workflow.
 # https://github.com/aspect-build/rules_lint/blob/v1.3.1/.github/workflows/release.yml
+
+permissions:
+  attestations: write # Needed to attest provenance
+  contents: write # Needed to create release
+  id-token: write # Needed to attest provenance
+
 jobs:
   release:
-    uses: bazel-contrib/.github/.github/workflows/[email protected]
+    uses: bazel-contrib/.github/.github/workflows/[email protected].0
     with:
       bazel_test_command: "bazel test //src/... //test/... //third_party/..."
       prerelease: false
       release_files: rules_scala-*.tar.gz
       release_prep_command: .github/workflows/workspace_snippet.sh
       tag_name: ${{ github.ref_name }}
-    permissions:
-      attestations: write # Needed to attest provenance
-      contents: write # Needed to create release
-      id-token: write # Needed to attest provenance
 
   publish-to-bcr:
     needs: release
     uses: ./.github/workflows/publish-to-bcr.yml
     with:
       tag_name: ${{ github.ref_name }}
-    permissions:
-      contents: write # allow appending new attestation files to the release
+    secrets:
+      publish_token: ${{ secrets.PUBLISH_TOKEN }}