The new code scanner is complaining that actions have permissions to
do too much. It wasn't obvious to me what permissions the jobs need,
but let's see how this works.
My attempt at using rust-build/rust-build.action for release builds
(from bf21e65c5d) initially seemed promising. However, the produced
musl binary build segfaulted on my Debian machine. I don't know about
the Mac and Windows binaries. I then tried switching to building with
a vendored OpenSSL (cac93e2793), but then the build started failing
(https://github.com/martinvonz/jj/actions/runs/1978730621). I couldn't
figure out why it failed, so I decided to do the build in a more
manual way (without rust-build/rust-build.action), based on
https://github.com/gitext-rs/git-stack/blob/main/.github/workflows/post-release.yml
(thanks to @epage for the example and to @arxanas for the link). I
could simplify it a bit because I'm currently doing the releases via
the GitHub UI (epage's original triggers the release when a tag has
been pushed, IIUC). Let's hope that it works this time.
