ci(scorecard): scope permissions to contents:read at workflow level

Sonar githubactions:S8234 flagged 'permissions: read-all' as a
vulnerability. Job-level permissions already grant exactly what the
scorecard analyzer needs (security-events: write for SARIF upload,
id-token: write for OIDC publish, contents: read, actions: read);
the top-level grant is only a fallback for any future steps without
their own block, so contents:read is the right minimum.

Author: aksOps

.github/workflows/scorecard.yml

@@ -27,7 +27,8 @@ on:
     - cron: "0 3 * * 2"
   workflow_dispatch:
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   analysis: