fix: Address CodeQL security alert for untrusted checkout

Fixes CodeQL alert "Potential execution of untrusted code on a
privileged workflow" by implementing the principle of least privilege.

Changes:
- Set top-level permissions to read-all (most restrictive by default)
- Made contents permission conditional:
  - Read-only for pull_request events (prevents untrusted code execution)
  - Write permission only for releases (needed to attach SBOMs)
- Simplified checkout to use default behavior for PRs instead of
  explicitly checking out head_ref (safer)

This ensures PRs from forks cannot execute with write permissions,
mitigating the security risk while maintaining functionality for
release SBOM publishing.

Security: Addresses actions/untrusted-checkout/high

.github/workflows/sbom.yml

@@ -14,9 +14,7 @@ on:
     branches:
       - develop
 
-permissions:
-  contents: write
-  actions: read
+permissions: read-all
 
 concurrency:
   group: sbom-${{ github.ref }}
@@ -30,7 +28,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success'
     permissions:
-      contents: write
+      contents: ${{ github.event_name == 'pull_request' && 'read' || 'write' }}
       actions: read
       packages: read
     steps:
@@ -71,7 +69,7 @@ jobs:
       - name: Checkout Repo
         uses: actions/checkout@v4
         with:
-          ref: ${{ github.event_name == 'pull_request' && github.head_ref || steps.branch.outputs.BRANCH_NAME }}
+          ref: ${{ github.event_name != 'pull_request' && steps.branch.outputs.BRANCH_NAME || '' }}
 
       - name: Set OpenCost Image Tag
         id: image_tag