ci: update permissions for CodeQL action

This commit updates the CodeQL scanning job's permissions as
recommended in several places.

Refs: https://github.com/octokit/types.ts/blob/bb399b2f7126e587f2d6ff590bf3cffb9560c542/.github/workflows/codeql.yml#L11-L14
Refs: github/codeql#8843
Fixes: #2193

Author: cjihrig

.github/workflows/codeql-analysis.yml

@@ -21,6 +21,11 @@ on:
     schedule:
         - cron: '35 14 * * 3'
 
+permissions:
+    actions: read
+    contents: read
+    security-events: write
+
 jobs:
     analyze:
         name: Analyze