chore: tighten organization gitleaks workflow

[BreakableHoodie]

Summary

• restrict the gitleaks workflow token to the minimum permissions it needs
• keep the workflow non-blocking while we continue socializing the process

Testing

• not run (workflow change only)

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Restore actions write permission for artifact upload

The workflow token no longer requests actions: write, but the “Upload redacted report” step uses actions/upload-artifact@v4 to create an artifact. GitHub requires actions: write on GITHUB_TOKEN for artifact uploads; without it the step will return 403 and the job will fail whenever findings exist, defeating the stated goal of keeping the scan non‑blocking. Consider keeping read-only scopes elsewhere but still requesting actions: write or otherwise skipping the upload.

Useful? React with 👍 / 👎.