ci: add explicit permissions to GitHub Actions workflows

[vdusek]

Summary

• Adds explicit permissions blocks to all 9 workflow files (addressing all CodeQL "Workflow does not contain permissions" security alerts).
• Follows the principle of least privilege: contents: read as the default, with elevated permissions only on jobs that need write access (releases, changelog updates, docs deployment).
• Pre-existing permissions on pypi_publish and _release_docs.yaml jobs are preserved.
• Same as ci: add explicit permissions to GitHub Actions workflows apify-client-python#614.

Test plan

• Verify CI passes on this PR (code checks, tests, doc checks)
• Verify release workflows still work correctly (can be validated on next release)
• Confirm CodeQL alerts are resolved after the next run of CodeQL checks

🤖 Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.17%. Comparing base (2175c12) to head (0c9a9f7).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #1792   +/-   ##
=======================================
  Coverage   92.17%   92.17%           
=======================================
  Files         156      156           
  Lines       10741    10741           
=======================================
+ Hits         9900     9901    +1     
+ Misses        841      840    -1     

Flag	Coverage Δ
unit	92.17% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.