ci(workflows): improve security and update actions

- set top-level explicit permissions for each GitHub Actions workflow for improved security and deduplication of permissions.
- add `persist-credentials: false` to actions/checkout for improved security - see https://github.com/actions/checkout#checkout-v4
- update actions/checkout from v4 to v5

.github/workflows/coolify-production-build.yml

@@ -14,6 +14,10 @@ on:
       - templates/**
       - CHANGELOG.md
 
+permissions:
+  contents: read
+  packages: write
+
 env:
   GITHUB_REGISTRY: ghcr.io
   DOCKER_REGISTRY: docker.io
@@ -23,7 +27,9 @@ jobs:
   amd64:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Login to ${{ env.GITHUB_REGISTRY }}
         uses: docker/login-action@v3
@@ -58,7 +64,9 @@ jobs:
   aarch64:
     runs-on: [self-hosted, arm64]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Login to ${{ env.GITHUB_REGISTRY }}
         uses: docker/login-action@v3
@@ -92,12 +100,11 @@ jobs:
 
   merge-manifest:
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
     needs: [amd64, aarch64]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - uses: docker/setup-buildx-action@v3