Separate permission for security-events that allows publishing without reading all other events

[sethmlarson]

Currently security-events: write is the only way for a GitHub Action to create security events. However having write implies the GitHub Action has the ability to read security events as well which has the potential to disclose vulnerabilties to a GitHub Action that's taken over.

My gut feeling is that almost all GitHub Actions that require security-events: write don't actually need security-events: read because they only want to publish a security event, not view any already published security events.

I discovered this issue when reporting ossf/scorecard#2152 which is where OpenSSF Scorecard will dock points from a repository using it's own GitHub Action because having security-events: write is insecure, but it requires the write permission in order to publish it's own findings!

[jsoref]

I'd really love a security-events-create: write which would allow an entity with a specific token to create and manipulate only the events it created...

I'm personally just as concerned as everyone else is by the wide-ranging permissions granted to carriers of the security-events: write permission and that wide-ranging grant is causing potential users of my action to push back against enabling the feature.