Look for any GitHub workflow jobs that run "github/codeql-action/analyze".

Check that those jobs have "security-events: write" permission defined at the job-level, and not at the root-level.