fix(ci): use GITHUB_TOKEN for semantic-release and harden workflow permissions

Replace secrets.PAT with secrets.GITHUB_TOKEN in publish.yml so
semantic-release can comment on PRs/issues using the built-in token
scoped by job-level permissions.

Set top-level permissions to empty object across all workflows to
follow the principle of least privilege, relying on job-level
permissions blocks instead.

.github/workflows/pr-lint.yml

@@ -10,7 +10,7 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions: read-all
+permissions: {}
 
 env:
   NPM_TOKEN: ${{ secrets.NPM_TOKEN }}