docs: add id-token: write to caller workflow template

The reusable workflow's build-image and deploy-app jobs require
id-token: write for OIDC authentication. Callers must grant this
permission or GitHub Actions will reject the workflow.

Add id-token: write to the default caller workflow template in the
onboarding guide so all new integrations include it from the start.

Author: genesluna

docs/guides/onboarding-new-repo.md

@@ -147,6 +147,7 @@ permissions:
   packages: write
   pull-requests: write
   security-events: write
+  id-token: write    # Required by the reusable workflow for AWS OIDC authentication
 
 jobs:
   pr-environment: