ci: declare permissions on release workflow

[arpitjain099]

The Release workflow runs changesets/action@v1, which on push to main/spectrum-two either opens a "Release PR" (when there are unreleased changesets) or publishes packages to npm (when a release is being landed). Both paths use the workflow's GITHUB_TOKEN -- the action needs contents: write to push the release commit / tag and pull-requests: write to open and update the release PR.

This patch sets that minimum at workflow scope, matching the explicit permission blocks already declared by build.yml (contents: read, pull-requests: write), publish-site.yml (same shape), release-snapshot.yml (per-job contents: write, id-token: write), and the rest of the hardened workflows here. With it set:

• the workflow token can't be widened by a future change to the repo default
• the SLSA / OpenSSF Scorecard Token-Permissions check passes for this file
• if changesets/action or any reachable third-party action is ever compromised (cf. tj-actions/changed-files CVE-2025-30066), the explicit scope keeps it inside the contents + pull-requests boundary rather than whatever the default grants

The npm publish path uses NPM_TOKEN (external secret), so the workflow token doesn't need packages: scope for that.

No behavioural change.

[changeset-bot]

⚠️ No Changeset found

Latest commit: c9d4cbc

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR