Potential fix for code scanning alert no. 5: Workflow does not contain permissions

[nstarman]

Potential fix for https://github.com/GalacticDynamics/is_annotated/security/code-scanning/5

To resolve the problem, you should add a permissions block to the workflow (preferably at the top level, so it applies to all jobs by default) or add it to each individual job (if some jobs require more permissions than others). The minimal permissions required here are likely contents: read, as this allows jobs to fetch code for CI processes. To implement, update .github/workflows/ci.yml by adding the following YAML under the workflow name and before on: (ideally, after line 1):

permissions:
  contents: read

This will ensure the GITHUB_TOKEN used during workflow/job execution does not have unnecessary write capabilities. No dependencies or imports are required for this fix.

---

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (49f78ef) to head (8336e9a).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##              main       #31   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            1         1           
  Lines            6         6           
=========================================
  Hits             6         6           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.