ci(workflows): improve security and update actions

- set top-level explicit permissions for each GitHub Actions workflow for improved security and deduplication of permissions.
- add `persist-credentials: false` to actions/checkout for improved security - see https://github.com/actions/checkout#checkout-v4
- update actions/checkout from v4 to v5

.github/workflows/chore-remove-labels-and-assignees-on-close.yml

@@ -8,6 +8,10 @@ on:
   pull_request_target:
     types: [closed]
 
+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
   remove-labels-and-assignees:
     runs-on: ubuntu-latest