Please document that trigger-argo-workflow needs id-token: write

[mem]

Please document the fact that the trigger-argo-workflow action needs id-token: write permission because it reaches out to vault in order to obtain a token, and that happens using OIDC.

I think it also needs contents: read, because it's using the setup-go action to obtain the Go binary (in order to figure out the OS and architecture where it's running), and that tries to read go.mod to figure out which Go version it needs to download, which is why trigger-argo-workflow is checking out the code for the repo.

[mem]

Just for reference, before adding id-token: write to the job, the action was erroring out with:

Error: Error message: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable

After adding the permission that went away.

[dblinkhorn]

Hi @mem, can you share the PR where you ran into these permissions issues?

[mem]

Sorry @dblinkhorn, I missed the notification, and now I don't have an example handy. I'll try to dig it up.