fix(ci): harden workflow permissions and use GITHUB_TOKEN for releases (#109)

Replace overly broad top-level permissions (read-all) with empty
defaults and declare minimal job-level permissions. Switch publish
workflow from secrets.PAT to secrets.GITHUB_TOKEN so semantic-release
can comment on PRs and issues.

.github/workflows/sync-labels.yml

@@ -20,7 +20,7 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions: read-all
+permissions: {}
 
 jobs:
   labels: