ci: update tag and publish with write perms for git push

[blackboxsw]

Description

Fix ability to push new VERSION tag to upstream upon merge to main.
Limit write permissions to just the tag-release job.

Additional Context and Relevant Issues

Without this fix, pycloudlib version tags will not be automatically pushed to upstream repo.

Automated job for publication of version tags to upstream are automatically blocked without explicit write permissions as seen in this CI run

remote: Permission to canonical/pycloudlib.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/canonical/pycloudlib/': The requested URL returned error: 403
Error: Process completed with exit code 128.

Add specific write permissions to ensure the job has the ability to push a version tag to upstream after a merge into main.
Not a significant security concern from external contributors because the job is limited to only run once approved and merged by a maintainer.

on:
  push:
    branches:
      - main

Test Steps