Explicitly use write perms for publish step

Previously these were set for the token by default. They're now
disabled by default, and enabled only for publish pushes (tags).

Author: pimterry

.github/workflows/ci.yml

@@ -143,10 +143,12 @@ jobs:
   publish:
     name: Publish a release
     runs-on: "ubuntu-22.04"
-    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
     needs:
       - build
       - test-distributables
+    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
+    permissions:
+      contents: write
     steps:
       - name: Get our distributables
         uses: actions/download-artifact@v4