ci: apply correct permissions to codeql job

[mrsimonemms]

Description of your changes

Applies the contents:read and security-events:write permissions to the CodeQL job. Also bumps the Action to v3 as deprecated.

The reason for the change is because the template's Actions don't work out of the box. This addresses that.

Fixes #

I have:

• [x] Read and followed Crossplane's contribution process.
• [x] Run make reviewable to ensure this PR is ready for review.
• [x] Added backport release-x.y labels to auto-backport this PR if necessary.

How has this code been tested

• Original broken Action
• Fixed Action with this change in