Specify default permissions for GitHub Action: CodeQL Create Issues

[castillios]

Fixes #8580

What changes did you make?

• Add a default permissions block in .github/workflows/codeql_create_issues.yml:

permissions:
  actions: read
  contents: read
  security-events: write
  issues: read

• Tweak permissions block specified in original issue to resolve an error in testing. See testing log containing said error at the bottom of this PR.
  • Add actions: read and security-events: write permissions

Why did you make the changes (we will use this info to test)?

• Adding a default permissions block helps limit workflows to what is needed by minimizing unnecessary permissions, as per GitHub security best practices.
• The permissions block specified in the original issue did not contain actions: read and security-events: write. As a result, the workflow would throw an error. After my conversation with Will, I added these two specifications in the original issue to resolve this.

CodeQL Alerts

After the PR has been submitted and the resulting GitHub actions/checks have been completed, developers should check the PR for CodeQL alert annotations.

Check the PR's comments. If present on your PR, the CodeQL alert looks similar as shown

Please let us know that you have checked for CodeQL alerts. Please do not dismiss alerts.

• I have checked this PR for CodeQL alerts and none were found.
• I found CodeQL alert(s), and (select one):
  • I have resolved the CodeQL alert(s) as noted
  • I believe the CodeQL alert(s) is a false positive (Merge Team will evaluate)
  • I have followed the Instructions below, but I am still stuck (Merge Team will evaluate)

Instructions for resolving CodeQL alerts

If CodeQL alert/annotations appear, refer to How to Resolve CodeQL alerts.

In general, CodeQL alerts should be resolved prior to PR reviews and merging

Screenshots of Proposed Changes To The Website (if any, please do not include screenshots of code changes)

• No visual changes to the website.
• I tested the CodeQL Create Issues workflow on my fork.
• In the following test logs, click Workflow File to see the updated .yml file
• Test Log with error (before permissions block was updated)
• Test Log with success (with final changes)

[github-actions]

Want to review this pull request? Take a look at this documentation for a step by step guide!

---

From your project repository, check out a new branch and test the changes.

git checkout -b castillios-test-codeql-create-issues-gha-8580 gh-pages
git pull https://github.com/castillios/website.git test-codeql-create-issues-gha-8580

[t-will-gillis]

Hey @castillios - Great job on this! All the basics are there:

• correct branches
• linked issue
• brief descriptions of what was changed and why
• linked test logs

Thanks for your work on this issue, and for noting that additional permissions were required beyond what the original issue stated.