ci: add permissions to caller jobs and upgrade release-please-action to v5

[kinyoklion]

Summary

Fixes Release Please startup_failure by adding explicit permissions to the ci and publish caller jobs. Also upgrades release-please-action from v4 to v5.

Review & Testing Checklist for Human

• Verify the release-please workflow runs without startup_failure on next push to main
• Confirm publish.yml permissions match what's declared on the caller
• Verify the ci caller job's contents: read is sufficient for actions/checkout

Notes

Same fix pattern as dotnet-core PR #241. Caller jobs need explicit permissions because the reusable workflows declare permissions that exceed the restricted org defaults. Added contents: read to the ci caller per Bugbot feedback — when permissions is declared, unmentioned permissions default to none.

Link to Devin session: https://app.devin.ai/sessions/54e32482848742c19ebf9c374efdc833
Requested by: @kinyoklion

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[cursor]

Cursor Bugbot has reviewed your changes using default mode and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 1daf2ab. Configure here.}