Fix the token permissions for private copies of the CodeQL Action, an…

…d for runs that are not from pull requests.

.github/workflows/codeql.yml

@@ -14,7 +14,9 @@ jobs:
       versions: ${{ steps.compare.outputs.versions }}
 
     permissions:
+      actions: read
       contents: read
+      security-events: write
 
     steps:
     - uses: actions/checkout@v2
@@ -63,6 +65,7 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     permissions:
+      actions: read
       contents: read
       security-events: write