Potential fix for code scanning alert no. 12: Workflow does not contain permissions

[simonmarty]

Potential fix for https://github.com/aws/aws-secretsmanager-caching-python/security/code-scanning/12

To fix the problem, add a permissions block to the workflow to explicitly set the minimal required permissions for the GITHUB_TOKEN. The best practice is to set contents: read at the workflow level, which covers most use cases for CI workflows that only need to check out code and run tests. If any step requires additional permissions (such as uploading coverage reports to a pull request), those can be added as needed. In this case, since the workflow uploads coverage to Codecov (which does not require write access to the repository), contents: read is sufficient. The change should be made at the top level of the workflow file, just after the name key and before the on key.

---

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.14%. Comparing base (83badd1) to head (2c95897).

Additional details and impacted files

@@           Coverage Diff           @@
##           master      #64   +/-   ##
=======================================
  Coverage   98.14%   98.14%           
=======================================
  Files           8        8           
  Lines         270      270           
=======================================
  Hits          265      265           
  Misses          5        5           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.