Ensure that the project’s automated workflows tokens are set to read-only by default (#37643)

Signed-off-by: Bruno Oliveira da Silva <bruno@abstractj.com>

Closes #33544

.github/workflows/codeql-analysis.yml

@@ -22,8 +22,10 @@ defaults:
   run:
     shell: bash
 
-jobs:
+permissions:
+  contents: read
 
+jobs:
   conditional:
     name: Check conditional workflows and jobs
     runs-on: ubuntu-latest
@@ -43,6 +45,8 @@ jobs:
     name: CodeQL Java
     needs: conditional
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write  # Required for SARIF upload
     if: needs.conditional.outputs.java == 'true'
     outputs:
       conclusion: ${{ steps.check.outputs.conclusion }}
@@ -69,6 +73,8 @@ jobs:
     name: CodeQL JavaScript
     needs: conditional
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write  # Required for SARIF upload
     if: needs.conditional.outputs.javascript == 'true'
     outputs:
       conclusion: ${{ steps.check.outputs.conclusion }}
@@ -94,6 +100,8 @@ jobs:
     name: CodeQL TypeScript
     needs: conditional
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write  # Required for SARIF upload
     if: needs.conditional.outputs.typescript == 'true'
     outputs:
       conclusion: ${{ steps.check.outputs.conclusion }}