fix: remove security-events write permission from global workflow permissions

The scorecard-action requires that security-events:write permission
be declared only at the job level, not at the workflow level.
This change moves the permission to only the jobs that need it
(CodeQL and Scorecard jobs already have it specified).

Author: claude

.github/workflows/security-main.yml

@@ -10,7 +10,6 @@ on:
 
 permissions:
   contents: read
-  security-events: write
 
 jobs:
   # Detect changes (skip for scheduled runs)