Potential fix for code scanning alert no. 6: Workflow does not contain permissions

[nstarman]

Potential fix for https://github.com/GalacticDynamics/is_annotated/security/code-scanning/6

To fix the problem, we should add a permissions block to the dist job in the workflow file .github/workflows/cd.yml. Since this job is for building distributions and does not require any special token privileges (it just checks out source code and runs build steps), we can safely set the permissions to the minimal possible, which is contents: read. This restricts the GITHUB_TOKEN to read-only access to repository contents, preventing accidental code or secret leaks and adhering to the principle of least privilege.

Steps:

• Edit .github/workflows/cd.yml.
• In the dist job (under jobs: dist:), add a permissions: block with contents: read, at the same indentation level as the other job properties (such as name and runs-on).
• No further code or dependency changes required.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (f9dc1ac) to head (9a2f12d).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##              main       #30   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            1         1           
  Lines            6         6           
=========================================
  Hits             6         6           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.