chore(ci): Add issues write permission for milestone management
Fixes the "Resource not accessible by integration" error that occurs
when the publish workflow attempts to create or modify milestones.
The manage-milestone step requires issues:write permission to interact
with GitHub's milestone API.
š¤ Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
chore(ci): Refactor binary size workflow to use secure workflow_run pattern
Split the binary size check into two workflows following GitHub Security Lab
best practices to prevent privilege escalation attacks:
1. binary-size.yml: Runs on pull_request trigger with read-only permissions.
Builds the PR code and uploads size report as artifact.
2. binary-size-comment.yml: Runs on workflow_run trigger with write permissions.
Downloads artifact and posts comment to PR without executing PR code.
This separation ensures untrusted PR code never executes with write permissions
or access to secrets, mitigating potential security risks from malicious PRs.
š¤ Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>