ci(workflows): add minimal permissions to coverage workflow

Defined explicit permissions for contents as read-only in the coverage workflow. This change addresses SSF recommendations by ensuring the GitHub Actions token only has the necessary permissions to perform code coverage analysis. Reduces security exposure by adhering to the principle of least privilege.

.github/workflows/publish.yml

@@ -4,7 +4,10 @@ on:
   release:
     types: [published, prereleased]
   workflow_dispatch:
-
+
+permissions:
+  contents: read
+
 jobs:
   publish:
     name: Upload release to PyPI