ci: add permissions to publish caller job and upgrade release-please-action to v5

[kinyoklion]

Summary

Fixes Release Please startup_failure by adding explicit permissions to the call-workflow-publish caller job. Also upgrades release-please-action from v4 to v5.

Review & Testing Checklist for Human

• Verify the release-please workflow runs without startup_failure on next push to main

Notes

Same fix pattern as dotnet-core PR #241. The publish caller job needs explicit permissions because publish.yml declares permissions that exceed the restricted org defaults.

Link to Devin session: https://app.devin.ai/sessions/54e32482848742c19ebf9c374efdc833
Requested by: @kinyoklion

---

Note

Low Risk
Low risk CI-only change; main risk is workflow permission scoping or action version upgrade affecting release/publish automation behavior.

Overview
Upgrades googleapis/release-please-action from v4.4.0 to v5.0.0 in .github/workflows/release-please.yml.

Adds explicit permissions (id-token: write, contents: write) to the call-workflow-publish reusable-workflow caller job so the publish workflow can run with the required token scopes when a release is created.

^{Reviewed by Cursor Bugbot for commit 29e374c. Bugbot is set up for automated code reviews on this repo. Configure here.}

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring