fix: add top-level permissions to workflows for CKV2_GHA_1

Checkov CKV2_GHA_1 requires top-level permissions to be explicitly
restricted, not just at the job level. Added permissions: {} to
security-scan.yml and permissions: { contents: read } to
azure-bicep-validate.yaml.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: spboyer

.github/workflows/azure-bicep-validate.yaml

@@ -8,9 +8,14 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v2

.github/workflows/security-scan.yml

@@ -8,6 +8,8 @@ on:
   schedule:
     - cron: '0 0 * * 0'  # Run weekly
 
+permissions: {}
+
 jobs:
   security:
     runs-on: ubuntu-latest