Harden GITHUB_TOKEN permissions

Signed-off-by: Craig Ingram <cjingram@google.com>

.github/workflows/codeql.yml

@@ -10,9 +10,16 @@ on:
       - main
       - 'release/**'
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   CodeQL-Build:
 
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/analyze to upload SARIF results
     strategy:
       fail-fast: false