Try another permission setup. security events has to be write to allow codeql to work. OSSF-security scan complains with the write at the top level. So leave top level read only and add write at job level. See if codeql will not fail (missing write perms caused failure in codeql init). Note that ossf recommended remediation step using: https://app.stepsecurity.io/secureworkflow/roundup-tracker/roundup/codeql-analysis.yml/master?enable=permissions had no issue with the permissions defined in the workflow. I had a green checkmark.