Potential fix for code scanning alert no. 1: Workflow does not contain permissions

[danielbentes]

Potential fix for https://github.com/synaptiai/siare/security/code-scanning/1

In general, the fix is to add an explicit permissions block restricting the GITHUB_TOKEN to the minimum scopes required. Since this workflow only needs to read repository contents (for actions/checkout and to run tests/linting) and does not update code, issues, or pull requests, setting permissions: contents: read is an appropriate minimal baseline.

The best way to fix this without changing functionality is to add a workflow-level permissions block near the top of .github/workflows/ci.yml, so it applies to all jobs (test and build). This keeps the configuration concise and avoids repeating permissions per job. Specifically, insert:

permissions:
  contents: read

between the name: CI and the on: block. No additional imports, methods, or definitions are needed because this is purely a YAML configuration change for GitHub Actions. All existing steps—checkout, setup-python, pip installs, linting, testing, Codecov upload, build, and artifact upload—will continue to work with read-only repository contents permissions.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[danielbentes]

Self-Review: PR #10

P1 - Critical: None found.

P2 - Important

#	Category	Issue	Suggested Fix
1	Duplicate	This PR has an identical diff to PR #9	Merge PR #9, then close this PR as duplicate. Both address the same missing permissions block in ci.yml.

P3 - Suggestions: None found.

What Looks Good

• The fix itself is correct (same as PR #9)

Recommendation: Close as duplicate of PR #9. Merge #9 first, then close #10.

[danielbentes]

Closing as duplicate of #9 (identical diff — both fix the same missing permissions block in ci.yml). #9 has been merged.