Allow specifying permissions for the safe-outputs job #18684
Description
This PR introduced a way to specify steps for the safe-outputs job: #18460
However, running steps as part of the safe-outputs that would require specific permissions (for example id-token: write) is not possible because the permissions config is only being applied to the agent job and there's no way to specify additional permissions for the safe-outputs job.