ci: grant attestations:write on publish-webapp reusable-workflow call

Per GitHub Actions reusable-workflow semantics, the GITHUB_TOKEN passed to
a called workflow is at most the caller's job-level permissions. Without
this, actions/attest-build-provenance fails at runtime even though the
called workflow declares the scope.

Author: myftija

.github/workflows/publish.yml

@@ -68,6 +68,7 @@ jobs:
       contents: read
       packages: write
       id-token: write
+      attestations: write
     uses: ./.github/workflows/publish-webapp.yml
     secrets:
       SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}