Give only read-level security-events permission where possible

pr-checks/checks/submit-sarif-failure.yml

@@ -14,6 +14,10 @@ env:
   # Mark telemetry for this workflow so it can be treated separately.
   CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks
 
+permissions:
+  contents: read
+  security-events: write # needed to upload the SARIF file
+
 steps:
   - uses: actions/checkout@v4
   - uses: ./init

pr-checks/sync.py

@@ -126,7 +126,7 @@ for file in (this_dir / 'checks').glob('*.yml'):
         'name': checkSpecification['name'],
         'permissions': {
             'contents': 'read',
-            'security-events': 'write'
+            'security-events': 'read'
         },
         'timeout-minutes': 45,
         'runs-on': '${{ matrix.os }}',