chore(ci): add explicit GITHUB_TOKEN permissions to workflows

[jdichev]

Prepare for the upcoming read-only default GITHUB_TOKEN enforcement by declaring minimum required permissions in all workflows.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[kineticjs]

btw when i ran agent review, it suggested to add one more permission:

Issue: missing pull-requests: write on release.yml

Why:
The release workflow’s last step runs the custom bump-version action, which:

Pushes a branch (git push)
Creates a PR via gh pr create --fill
await exec.exec('git', ['push', '-u', 'origin', bump-version-${version}]);
await exec.exec('gh', ['pr', 'create', '--fill']);
gh pr create requires pull-requests: write. With only contents: write, the release and asset upload may succeed, but bump-version will fail when creating the PR.

See file @.github/actions/bump-version/index.js:28

Suggested fix for release.yml:

permissions:
  contents: write
  pull-requests: write