ci: add explicit permissions to semgrep workflow (#3992)

This PR fixes security alert #153 by adding explicit permissions to the
semgrep workflow. The fix adds \permissions: contents: read\ to scope
the GITHUB_TOKEN following the principle of least privilege.

Signed-off-by: Jiyong Huang <huangjy@emqx.io>

Author: ngjaying

.github/workflows/semgrep.yaml

@@ -6,6 +6,10 @@ on:
   pull_request: 
     branches: [ "master", "main" ]
 
+# Explicitly scope GITHUB_TOKEN permissions (principle of least privilege).
+permissions:
+  contents: read
+
 jobs:
   semgrep:
     name: Scan