Fix spell check workflow permissions

Add missing permissions for the Report job to download artifacts (actions:read)
and upload SARIF results (security-events:write). Also add top-level
permissions block and align spelling job permissions.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: tas50

.github/workflows/spell-check.yaml

@@ -5,13 +5,18 @@ on:
   pull_request:
     types: [opened, reopened, synchronize]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   spelling:
     name: Run spell check
     permissions:
+      actions: read
       contents: read
       pull-requests: read
-      actions: read
+      security-events: write
     outputs:
       followup: ${{ steps.spelling.outputs.followup }}
     runs-on: ubuntu-latest
@@ -43,8 +48,10 @@ jobs:
     runs-on: ubuntu-latest
     needs: spelling
     permissions:
-      contents: write
+      actions: read
+      contents: read
       pull-requests: write
+      security-events: write
     if: (success() || failure()) && needs.spelling.outputs.followup
     steps:
       - name: comment