Actions: Add warning/finding when using actions/create-github-app-token without permissions

[hfhbd]

Description of the issue
You can use https://github.com/actions/create-github-app-token to create an app installation token. Depending on the app, it can have broad permissions. Unfortunately, the action does not use permissions-none as default, but all the permissions of the app.

So CodeQL could warn when using this app without setting permissions.

[redsun82]

👋 @hfhbd This sounds like a reasonable query idea! Using actions/create-github-app-token without explicit permissions can lead to overly permissive tokens.

If you're interested in contributing this query yourself, we welcome community contributions! You can find guidance in our CONTRIBUTING.md, which explains how to submit new experimental queries. The Actions queries live under actions/ql/src/.

Key points:

• New queries start in an experimental directory
• Include query metadata (@id, @name, @description, @kind, @problem.severity)
• At least one true positive result on a real project is required
• Query help and unit tests are optional for experimental queries but encouraged

Otherwise we will be tracking this internally.