Potential fix for code scanning alert no. 1: Workflow does not contain permissions

[loookashow]

Potential fix for https://github.com/FoxNoseTech/diarize/security/code-scanning/1

In general, the fix is to add an explicit permissions block to the workflow so that the GITHUB_TOKEN has only the scopes needed. For this CI workflow, all operations are reading repository contents and sending coverage data to Codecov; no GitHub write actions are present, so contents: read is sufficient. Declaring this at the top level of the workflow applies to all jobs that don’t override it, which fits both lint and test.

The best fix without changing existing functionality is to add a root-level permissions section right after the name: CI line. This will constrain GITHUB_TOKEN to read-only repository contents across the whole workflow. No changes are needed within individual jobs, and no additional imports or actions are required. Concretely, in .github/workflows/ci.yml, insert:

permissions:
  contents: read

between lines 1 and 3 (after name: CI and before on:), keeping indentation consistent with other top-level keys.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[codecov-commenter]

Welcome to Codecov 🎉

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

ℹ️ You can also turn on project coverage checks and project coverage reporting on Pull Request comment

Thanks for integrating Codecov - We've got you covered ☂️