Allow 'write' permission to dispatch the VS Code extension release workflow

[adamint]

Problem

The extension-release.yml authorization gate (added in #15766) required admin or maintain permission:

if [[ "$PERMISSION" != "admin" && "$PERMISSION" != "maintain" ]]; then
  echo "ERROR: User ${ACTOR} does not have sufficient permissions."
  exit 1
fi

But on microsoft/aspire nobody holds maintain/admin — write is the highest level granted to contributors. As written, the workflow is undispatchable by anyone. A real dispatch fails at step 1:

User permission level: write
ERROR: User adamint does not have sufficient permissions.
Required: 'admin' or 'maintain'.  Current: 'write'

(Observed live: run 26692032713 — failed at the authorization step, no branch/PR created.)

Fix

Accept write and above, matching the repo's other human-dispatched contributor-gated workflows — apply-test-attributes.yml and backport.yml both allow ['admin', 'write'].

Why not match release-github-tasks.yml (admin/maintain)?

That workflow keeps the stricter gate because it is dispatched by the aspire-repo-bot GitHub App (AzDO chained dispatch), which bypasses the human permission check entirely. extension-release.yml is human-dispatched (a contributor decides to prepare an extension release PR), so it must accept write.

Testing

• Gate logic unit-tested across all permission levels: write/maintain/admin authorized; read/none/triage rejected.
• actionlint clean.
• Follow-up to Add VS Code extension release preparation workflow with commit-based changelog #15766; this is the change that lets the first real release (and therefore the end-to-end agentic extension-changelog run) actually be dispatched.

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 17734

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 17734"

[Copilot]

Pull request overview

This PR updates the VS Code extension release workflow authorization gate so repository contributors with write permission can manually dispatch the release-preparation workflow.

Changes:

• Allows write permission in addition to maintain and admin.
• Updates the authorization error message and inline comment to match the new permission policy.

[adamint]

Follow-up to #15766, surfaced while trying to run the first real release end-to-end.

@davidfowl noted that nobody on this repo holds maintain/admin — so the extension-release.yml gate (admin/maintain only) blocks everyone. Confirmed live: dispatching as a write-level contributor failed at the authorization step (run 26692032713, no branch/PR created).

This PR relaxes the gate to write+ (matching apply-test-attributes.yml / backport.yml). Once merged, a write-level contributor can dispatch the real release, which is also the only way to exercise the agentic extension-changelog workflow end-to-end (fork/PR runs can't, as discussed on #15766).