Potential fix for code scanning alert no. 1: Workflow does not contain permissions

[simonmarty]

Potential fix for https://github.com/aws/secrets-store-csi-driver-provider-aws/security/code-scanning/1

The best fix is to explicitly add a permissions block limiting the GITHUB_TOKEN's permissions to contents: read at the job level or—preferably—at the workflow root, ensuring that the token used by the actions in this workflow has only read access to repository contents. This is sufficient for the tasks performed (format checking, building, testing, and reporting coverage via Codecov, which uses a secret token). Add the following to the top-level section of the workflow, after the name: field and before on::

permissions:
  contents: read

No imports or methods are needed. Only the workflow YAML file needs to be changed.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 59.67%. Comparing base (f9d1c34) to head (569f21d).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #513   +/-   ##
=======================================
  Coverage   59.67%   59.67%           
=======================================
  Files          11       11           
  Lines        1034     1034           
=======================================
  Hits          617      617           
  Misses        400      400           
  Partials       17       17           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.