GitHub Actions deploy function app to Azure deployment slot

So the yaml template that Azure generates when you create a deployment slot on a Function App (presumably any App Service) is wrong.

Needs these additions:

permissions:
  contents: read
  packages: write
  id-token: write #This is required for requesting the JWT

Also they apparently automatically generate a user-assigned managed identity, but it seems to require a Service Principal for the OIDC access from GitHub to Azure.

Create service principal and assign to app
https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal

Connect github actions
https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux