Potential fix for code scanning alert no. 1: Workflow does not contain permissions (#336)

Potential fix for
[https://github.com/reservoir-data/tap-pomelo/security/code-scanning/1](https://github.com/reservoir-data/tap-pomelo/security/code-scanning/1)

In general, the fix is to explicitly declare GITHUB_TOKEN permissions in
the workflow, granting only what each job requires. For jobs that only
need to read the repository contents, `contents: read` is typically
sufficient; jobs that publish artifacts or releases may need `contents:
write` and/or `id-token: write`, as already configured for `publish`.

For this workflow, the best minimal change is to add a `permissions`
block to the `build` job alone, since `publish` already has one. The
`build` job only checks out code and builds, so we can safely restrict
it to `contents: read`. No other scopes are needed. Concretely, in
`.github/workflows/build.yml`, under `build:` (line 7) and aligned with
`name:` and `runs-on:`, insert:

```yaml
permissions:
  contents: read
```

No additional imports or tools are required; this is a pure YAML
configuration change inside the existing workflow.


_Suggested fixes powered by Copilot Autofix. Review carefully before
merging._

Signed-off-by: Edgar Ramírez Mondragón <edgarrm358@gmail.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: edgarrmondragon

.github/workflows/build.yml

@@ -7,6 +7,8 @@ jobs:
   build:
     name: Build wheel and sdist
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
     - uses: hynek/build-and-inspect-python-package@efb823f52190ad02594531168b7a2d5790e66516 # v2.14.0