Aswathy/fix: codeQL workflows

[aswathy-deriv]

Changes:

This pull request updates the GitHub Actions workflows to explicitly set permissions for the contents scope to read. This change enhances security by adhering to the principle of least privilege, ensuring that workflows only have the permissions they need.

Screenshots:

Please provide some screenshots of the change.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated (UTC)
deriv-app	✅ Ready (Inspect)	Visit Preview	Jun 18, 2025 10:25am

[github-actions]

A production App ID was automatically generated for this PR. (log)

• PR: Aswathy/fix: codeQL workflows #18601
• URLs:
  • w/ App ID + Server: https://deriv-app-git-fork-aswathy-deriv-fix-codeql-workflows.binary.sx?qa_server=red.derivws.com&app_id=32868
  • Original: https://deriv-app-git-fork-aswathy-deriv-fix-codeql-workflows.binary.sx
• App ID: 32868

Click here to copy & paste above information.

- **PR**: [https://github.com/deriv-com/deriv-app/pull/18601](https://github.com/deriv-com/deriv-app/pull/18601)
- **URLs**:
    - **w/ App ID + Server**: https://deriv-app-git-fork-aswathy-deriv-fix-codeql-workflows.binary.sx?qa_server=red.derivws.com&app_id=32868
    - **Original**: https://deriv-app-git-fork-aswathy-deriv-fix-codeql-workflows.binary.sx
- **App ID**: `32868`

[github-actions]

⏳ Generating Lighthouse report...

[habib-deriv]

LGTM

[habib-deriv]

Hi @aswathy-deriv let's try with test.yml, if we need write, or read is enough

[habib-deriv]

Also, can we put the permisison on job level, like @rupato-deriv's PR?

[aswathy-deriv]

But @habib-deriv ,actually its written that each workflow file to define the minimum required permissions: block at the top level (before jobs:)