trigger_deploy.yml: fix permissions and allow empty value for digest

.github/workflows/trigger_deploy.yml

@@ -16,7 +16,7 @@ on:
           - staging
           - production
       digest:
-        required: true
+        required: false
         description: The image digest to pass to the deploy job.
         type: string
   workflow_call:
@@ -25,12 +25,16 @@ on:
         required: true
         type: string
       digest:
-        required: true
+        required: false
         type: string
       environment:
         required: true
         type: string
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   trigger_deploy:
     runs-on: ubuntu-latest
@@ -44,6 +48,7 @@ jobs:
           role-to-assume: ${{ vars.AWS_ROLE_ARN }}
 
       - name: Push Image Digest to SSM
+        if: ${{ inputs.digest != '' }}
         run: |
           aws ssm put-parameter \
             --name "/apps/${{ inputs.app_name }}/${{ inputs.environment }}/image_digest" \