[AAP-71476] Replace read-all with specific permissions in SonarCloud workflow

Narrow workflow permissions from read-all to only the scopes needed:
contents, actions, and pull-requests.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: lucasc017

.github/workflows/sonar-pr.yml

@@ -30,7 +30,10 @@ on:
       - CI
     types:
       - completed
-permissions: read-all
+permissions:
+  contents: read
+  actions: read
+  pull-requests: read
 jobs:
   sonar-pr-analysis:
     name: SonarCloud PR Analysis