chore(ci): declare explicit permissions for read-default rollout

The publish-clm.yaml and publish-scaffold.yaml workflows upload release
binaries via curl using the default GITHUB_TOKEN. Once the org-wide flip
to read-default GITHUB_TOKEN lands, the asset upload requests will 403
unless the workflows explicitly declare contents: write.

This narrows the token's effective scope (was implicit write-everything;
becomes contents:write only) without changing happy-path behavior.

Author: zdenko-kovac

.github/workflows/publish-clm.yaml

@@ -4,6 +4,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: write
+
 defaults:
   run:
     shell: bash

.github/workflows/publish-scaffold.yaml

@@ -4,6 +4,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: write
+
 defaults:
   run:
     shell: bash