fix: add pull-requests: write permission to merge-to-main job (#213)

The `merge-to-main` job was failing because `GITHUB_TOKEN` lacked
`pull-requests: write`, causing `gh pr create` to be rejected with
`GraphQL: Resource not accessible by integration (createPullRequest)`.

## Change

- Added job-level `permissions` block to `merge-to-main` with
`pull-requests: write` and `contents: read`, scoped only to the job that
needs it rather than elevating the entire workflow.

```yaml
merge-to-main:
  ...
  permissions:
    pull-requests: write
    contents: read
```

Author: Copilot

.github/workflows/release.yml

@@ -277,6 +277,9 @@ jobs:
     needs: [workflow-variables, release, versioning]
     if: ${{ needs.workflow-variables.outputs.is-release == 'true' }}
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+      contents: read
     env:
       GH_TOKEN: ${{ github.token }}
       current-branch: ${{ github.ref_name }}