Fix release workflow permissions for CI reusable workflow call

The top-level permissions block in release.yml was capping permissions
to `contents: read`, which blocked the called ci.yml workflow from
requesting `actions: read` and `security-events: write` needed for
CodeQL scanning.

Change-Type: ci
Release-Note: no
Audience: internal
Impact: none
Breaking: false
Co-Authored-By: Claude <noreply@anthropic.com>

Author: dopey

.github/workflows/release.yml

@@ -8,6 +8,8 @@ on:
 
 permissions:
   contents: read
+  actions: read
+  security-events: write
 
 jobs:
   ci: