`checks: write` gha permission is needed for pushing SARIF annotations on Pull Requests

[nitrocode]

trafficstars

https://securityscorecards.dev/viewer/?uri=github.com/runatlantis/atlantis

Warn: topLevel 'checks' permission set to 'write': .github/workflows/lint.yml:24

In our case, to push SARIF annotations in a PR from a linter like golangci-lint, it requires checks: write and of course that gets flagged by OpenSSF.

Request:

• It would be good to call out examples where high privileges in github actions are needed
• How to least-privilege the action with this permission to improve the score