chore: harden GITHUB_TOKEN permissions on internal workflows (#526)

Scope the workflow runner token to least privilege:
- bump-gitstream-core.yml: permissions: {} (uses PAT, not GITHUB_TOKEN)
- create-tag-on-merge.yml: contents: write + pull-requests: read

Follows https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/

Author: MishaKav

.github/workflows/bump-gitstream-core.yml

@@ -25,6 +25,8 @@ on:
         description: GitHub username to assign as reviewer
         required: false
 
+permissions: {}
+
 jobs:
   publish_pr:
     name: Publish PR

.github/workflows/create-tag-on-merge.yml

@@ -15,6 +15,10 @@ on:
 env:
   SLACK_WEBHOOK: ${{ secrets.SLACK_WORKFLOWS_DEPLOYMENT_WEBHOOK }}
 
+permissions:
+  contents: write
+  pull-requests: read
+
 jobs:
   create-tag:
     runs-on: ubuntu-24.04