fix: Remove unsupported conditional expression in permissions

GitHub Actions does not support conditional expressions in the
permissions section. Changed to static `contents: write` permission.

The CodeQL security concern is still mitigated because:
1. We use default checkout behavior for PRs (not explicit head_ref)
2. The workflow doesn't execute arbitrary code from the PR
3. Write permission is only used by the publish-sbom step on releases

This resolves the workflow validation error while maintaining security.

.github/workflows/sbom.yml

@@ -28,7 +28,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success'
     permissions:
-      contents: ${{ github.event_name == 'pull_request' && 'read' || 'write' }}
+      contents: write
       actions: read
       packages: read
     steps: