Potential fix for code scanning alert no. 2: Workflow does not contain permissions

[danielbentes]

Potential fix for https://github.com/synaptiai/siare/security/code-scanning/2

In general, the fix is to explicitly configure GITHUB_TOKEN permissions to the least privilege required. For this workflow, all steps only need to read repository contents (for actions/checkout) and upload coverage/artifacts to external services. They do not push to the repo, manage issues, or alter pull requests, so contents: read is sufficient. No per-job variations are necessary; a single top-level permissions: block will apply to both test and build.

Concretely, in .github/workflows/ci.yml, add a permissions: section after the name: CI line (before on:). Set it to:

permissions:
  contents: read

This keeps existing behavior (all current actions still function) while ensuring the GITHUB_TOKEN cannot write to repository contents or other resources. No imports or external libraries are involved, and no additional methods or definitions are required—this is purely a YAML configuration change.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[danielbentes]

Self-Review: PR #9

P1 - Critical: None found.

P2 - Important: None found.

P3 - Suggestions: None found.

What Looks Good

• Correct least-privilege fix: permissions: contents: read is the minimum needed for checkout + lint + test
• Addresses CodeQL security alert #2
• Single-file, 3-line change — minimal blast radius

Recommendation: Approve (0 P1, 0 P2)

Note: PRs #9 and #10 both modify .github/workflows/ci.yml and will conflict. One should merge first, then the other should be closed or rebased.