Fix security workflow to generate reports locally instead of uploading to GitHub Security (#1950)

- Changed security-events permission from write to read
- Disabled automatic SARIF upload in CodeQL analysis
- Removed Trivy SARIF upload step that was causing permission errors
- Added artifact uploads for all security scan results (CodeQL, Trivy secrets, SBOM)
- Reports are now available for download as workflow artifacts for local review

.github/workflows/security.yaml

@@ -12,7 +12,7 @@ on:
 permissions:
   actions: read
   contents: read
-  security-events: write
+  security-events: read
 
 jobs:
   codeql:
@@ -42,6 +42,16 @@ jobs:
         uses: github/codeql-action/analyze@v3
         with:
           category: "/language:${{matrix.language}}"
+          upload: false
+
+      - name: Upload CodeQL results as artifact
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: codeql-results-${{ matrix.language }}
+          path: |
+            **/results/**/*.sarif
+            **/results/**/*.sarif.json
 
   dependency-scan:
     name: Dependency Vulnerability Scan
@@ -75,6 +85,13 @@ jobs:
           format: spdx-json
           artifact-name: sbom.spdx.json
 
+      - name: Upload SBOM as artifact
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: sbom-results
+          path: sbom.spdx.json
+
   secrets-scan:
     name: Secrets Detection
     runs-on: ubuntu-latest
@@ -94,8 +111,10 @@ jobs:
           output: 'trivy-secrets-results.sarif'
           scanners: 'secret'
 
-      - name: Upload Trivy scan results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v3
+      - name: Upload Trivy secrets results as artifact
+        uses: actions/upload-artifact@v4
         if: always()
         with:
-          sarif_file: 'trivy-secrets-results.sarif'
+          name: trivy-secrets-results
+          path: trivy-secrets-results.sarif
+