Try another permission setup.

security events has to be write to allow codeql to work. OSSF-security
scan complains with the write at the top level.

So leave top level read only and add write at job level.
See if codeql will not fail (missing write perms caused failure in
codeql init).

Note that ossf recommended remediation step using:

   https://app.stepsecurity.io/secureworkflow/roundup-tracker/roundup/codeql-analysis.yml/master?enable=permissions

had no issue with the permissions defined in the workflow. I had a
green checkmark.

Author: rouilj

.github/workflows/codeql-analysis.yml

@@ -21,19 +21,22 @@ on:
   schedule:
     - cron: '28 17 * * 1'
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  contents: read
-  security-events: write
-
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+      security-events: write
+
     strategy:
       fail-fast: false
       matrix: