ci(deploy): document why id-token: write is kept at job level

Annotate the permissions blocks with the reason the job needs
id-token: write (actions/attest-build-provenance obtains a Sigstore
OIDC token). The build jobs also note that the narrower-blast-radius
refactor — splitting attestation into a dedicated job — was
considered and rejected as disproportionate.

Author: claude

.github/workflows/deploy.yaml

@@ -66,6 +66,9 @@ jobs:
 
     permissions:
       contents: read
+      # Needed by actions/attest-build-provenance to request a Sigstore OIDC token.
+      # Kept at job level rather than split into a dedicated attest job — the
+      # narrower-blast-radius refactor was judged disproportionate here; see PR #387.
       id-token: write
       attestations: write
 
@@ -113,6 +116,9 @@ jobs:
 
     permissions:
       contents: read
+      # Needed by actions/attest-build-provenance to request a Sigstore OIDC token.
+      # Kept at job level rather than split into a dedicated attest job — the
+      # narrower-blast-radius refactor was judged disproportionate here; see PR #387.
       id-token: write
       attestations: write
 
@@ -159,6 +165,9 @@ jobs:
 
     permissions:
       contents: read
+      # Needed by actions/attest-build-provenance to request a Sigstore OIDC token.
+      # Kept at job level rather than split into a dedicated attest job — the
+      # narrower-blast-radius refactor was judged disproportionate here; see PR #387.
       id-token: write
       attestations: write
 
@@ -250,6 +259,7 @@ jobs:
 
     permissions:
       contents: write
+      # Needed by actions/attest-build-provenance to request a Sigstore OIDC token.
       id-token: write
       attestations: write
 
@@ -397,6 +407,7 @@ jobs:
 
     permissions:
       contents: write
+      # Needed by actions/attest-build-provenance to request a Sigstore OIDC token.
       id-token: write
       attestations: write