ci: add actions:read permission to fix CodeQL SARIF upload

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: motxx

.github/workflows/codeql.yml

@@ -15,6 +15,7 @@ jobs:
     name: Analyze
     runs-on: ubuntu-latest
     permissions:
+      actions: read
       security-events: write
       contents: read
     strategy: