Move write permissions to job-level in workflows

[liudger]

Scorecard Token-Permissions check requires that write permissions are scoped to individual jobs, not at the workflow top-level.

Affected workflows:

• release.yaml: add top-level permissions: read-all
• release-drafter.yaml: move contents:write to job level
• codeql.yaml: move security-events:write to job level
• labels.yaml: move issues:write to job level
• lock.yaml: move issues/pull-requests:write to job level
• stale.yaml: move issues/pull-requests:write to job level
• auto-approve-renovate.yml: move pull-requests:write to job level

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.89%. Comparing base (86290c4) to head (f69f6ea).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1444   +/-   ##
=======================================
  Coverage   99.89%   99.89%           
=======================================
  Files           6        6           
  Lines         955      955           
  Branches      128      128           
=======================================
  Hits          954      954           
  Partials        1        1           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

This PR updates GitHub Actions workflow GITHUB_TOKEN permissions to satisfy Scorecard’s Token-Permissions check by setting workflow-level defaults to read-only and moving write scopes to the specific jobs that need them.

Changes:

• Set workflow-level permissions: read-all across the affected workflows.
• Move write permissions (e.g., issues: write, pull-requests: write, security-events: write, contents: write) to the corresponding job-level permissions blocks.
• Keep existing job-level write requirements (e.g., release upload/signing) intact while making the workflow defaults read-only.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.github/workflows/stale.yaml	Sets workflow default to read-all; grants issues/PR write at the stale job level.
.github/workflows/release.yaml	Adds workflow default read-all; keeps job-level contents: write and id-token: write for publishing and release uploads.
.github/workflows/release-drafter.yaml	Sets workflow default read-all; scopes contents: write to the release-drafter job.
.github/workflows/lock.yaml	Sets workflow default read-all; grants issues/PR write at the lock job level.
.github/workflows/labels.yaml	Sets workflow default read-all; scopes contents: read + issues: write to the labels sync job.
.github/workflows/codeql.yaml	Sets workflow default read-all; scopes security-events: write to the CodeQL job.
.github/workflows/auto-approve-renovate.yml	Sets workflow default read-all; scopes pull-requests: write to the auto-approve job.