Add contents:read to zizmor job permissions

The job declares security-events:write for SARIF upload,
but this drops the implicit contents:read needed by
actions/checkout.

Author: bschwedler

.github/workflows/ci.yml

@@ -138,6 +138,7 @@ jobs:
     name: Zizmor
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       security-events: write
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6