fix(ci): use GITHUB_TOKEN for semantic-release and harden workflow permissions

Replace secrets.PAT with secrets.GITHUB_TOKEN in publish.yml so
semantic-release can comment on PRs/issues using the built-in token
scoped by job-level permissions.

Set top-level permissions to empty object across all workflows to
follow the principle of least privilege, relying on job-level
permissions blocks instead.

.github/workflows/sync-labels.yml

@@ -20,7 +20,7 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions: read-all
+permissions: {}
 
 jobs:
   labels: