ci: reduce workflow-level permissions to least privilege

semantic-release uses the GitHub App token for all write operations,
so the workflow's default GITHUB_TOKEN only needs id-token (OIDC
provenance), packages (GitHub Packages publish), and contents read
(for the CI validation workflow to checkout the repository).

Author: rfgamaral

.github/workflows/publish-package-release.yml

@@ -13,12 +13,8 @@ permissions:
     id-token: write
     # Enable the use of GitHub Packages registry
     packages: write
-    # Enable `semantic-release` to publish a GitHub release and push commits
-    contents: write
-    # Enable `semantic-release` to post comments on issues
-    issues: write
-    # Enable `semantic-release` to post comments on pull requests
-    pull-requests: write
+    # Enable the CI validation workflow to checkout the repository
+    contents: read
 
 # The release workflow involves many crucial steps that once triggered shouldn't be cancelled until
 # finished, otherwise we might end up in an inconsistent state (e.g., published to GitHub Packages