Address security issues in release workflow

[funnelfiasco]

I ran zizmor against this repo's workflows and got:

error[excessive-permissions]: overly broad workflow or job-level permissions
  --> /Users/bcotton/guacsec/guac-visualizer/.github/workflows/release.yaml:22:1
   |
22 | / permissions:
23 | |   actions: read   # for detecting the Github Actions environment.
24 | |   packages: write # To publish container images to GHCR
25 | |   id-token: write # needed for signing the images with GitHub OIDC Token **not production ready**
   | |_________________________________________________________________________________________________^ packages: write is overly broad at the workflow level
   |

error[excessive-permissions]: overly broad workflow or job-level permissions
  --> /Users/bcotton/guacsec/guac-visualizer/.github/workflows/release.yaml:22:1
   |
22 | / permissions:
23 | |   actions: read   # for detecting the Github Actions environment.
24 | |   packages: write # To publish container images to GHCR
25 | |   id-token: write # needed for signing the images with GitHub OIDC Token **not production ready**
   | |_________________________________________________________________________________________________^ id-token: write is overly broad at the workflow level
   |

error[template-injection]: code injection via template expansion
  --> /Users/bcotton/guacsec/guac-visualizer/.github/workflows/release.yaml:62:9
   |
62 |         - name: Build and publish image
   |           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this step
63 |           id: build_n_publish_image
64 |           run: |
   |  _________^
65 | |           #!/usr/bin/env bash
66 | |           set -euo pipefail
67 | |           pack build --env NODE_ENV=production ${IMAGE_URI}:${{ github.ref_name }} --builder ${BUILDER} --buildpack ${BUILDPACK} --p...
68 | |           echo "IMAGE_DIGEST=$(crane digest ${IMAGE_URI}:${{ github.ref_name }})" >> $GITHUB_OUTPUT
   | |___________________________________________________________________________________________________^ github.ref_name may expand into attacker-controllable code
   |

error[template-injection]: code injection via template expansion
  --> /Users/bcotton/guacsec/guac-visualizer/.github/workflows/release.yaml:62:9
   |
62 |         - name: Build and publish image
   |           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this step
63 |           id: build_n_publish_image
64 |           run: |
   |  _________^
65 | |           #!/usr/bin/env bash
66 | |           set -euo pipefail
67 | |           pack build --env NODE_ENV=production ${IMAGE_URI}:${{ github.ref_name }} --builder ${BUILDER} --buildpack ${BUILDPACK} --p...
68 | |           echo "IMAGE_DIGEST=$(crane digest ${IMAGE_URI}:${{ github.ref_name }})" >> $GITHUB_OUTPUT
   | |___________________________________________________________________________________________________^ github.ref_name may expand into attacker-controllable code
   |

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /Users/bcotton/guacsec/guac-visualizer/.github/workflows/release.yaml:41:9
   |
41 |         - name: Checkout code
   |  _________-
42 | |         uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # tag=v3
   | |________________________________________________________________________________- does not set persist-credentials: false
   |

This issue is just for the release workflow. #116 covers the CI workflow.