fix: grant packages: read to ci caller job in release workflow

[Copilot]

Description

When release.yml calls ci.yml via workflow_call, the called workflow's jobs cannot exceed the permissions granted by the caller. The ci job in release.yml only declared contents: read, leaving packages at the implicit none — blocking the nested security job in ci.yml which requires packages: read.

Change:

• .github/workflows/release.yml: added packages: read to the ci job's permissions block

# before
permissions:
  contents: read

# after
permissions:
  contents: read
  packages: read

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that causes existing functionality to change)
• Documentation update
• Refactor / code cleanup
• CI / build change

How Has This Been Tested?

Workflow validation — the error was a static permissions inheritance violation caught by GitHub's workflow validator. No application code changed.

Checklist

• My code follows the project's coding standards (go vet ./... passes)
• I have run the existing test suite and all tests pass (go test ./...)
• I have added or updated tests that cover my changes
• I have updated documentation where relevant (README, comments, etc.)
• I have not introduced new secrets, credentials, or sensitive data
• My changes do not break backward compatibility (or I have documented breaking changes above)

Screenshots / Output (if applicable)

N/A