Change permissions to be more granular

Author: sthulb

.github/workflows/osv.yml

@@ -15,13 +15,11 @@ on:
     branches: [main]
 
 permissions:
-  # Required to upload SARIF file to CodeQL. See: https://github.com/github/codeql-action/issues/2117
   actions: read
-  # Require writing security events to upload SARIF file to security tab
-  security-events: write
-  # Only need to read contents
   contents: read
 
 jobs:
   scan-pr:
+    permissions:
+      security-events: write
     uses: "google/osv-scanner-action/.github/workflows/[email protected]"