Set top-level permissions for CodeQL workflow (#2889)

As recommended by https://scorecard.dev/viewer/?uri=github.com/google/gson

Note however, that this currently most likely has no effect because the
`analyze` job already has permissions set (and `contents: read` might be
implicit for public repositories).
Nonetheless https://github.com/ossf/scorecard/blob/v5.1.1/docs/checks.md#token-permissions
recommends to set reduced top-level permissions so that if an additional
job is added in the future and it is missing explicit `permissions` it
will inherit the reduced top-level permissions.

Author: Marcono1234

.github/workflows/codeql-analysis.yml

@@ -11,6 +11,9 @@ on:
     # Run every Monday at 16:10
     - cron: '10 16 * * 1'
 
+permissions:
+  contents: read #  to fetch code (actions/checkout)
+
 jobs:
   analyze:
     name: Analyze (${{ matrix.language }})