Explicitly use write perms for publish step

Previously these were set for the token by default. They're now
disabled by default, and enabled only for publish pushes (tags).

Author: pimterry

.github/workflows/ci.yml

@@ -102,8 +102,10 @@ jobs:
   publish:
     name: Publish a release
     runs-on: "ubuntu-22.04"
-    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
     needs: build
+    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
+    permissions:
+      contents: write
     steps:
       - name: Get all distributables
         uses: actions/download-artifact@v4