Adjust readme regarding OIDC auth

[rsyring]

The readme shows the example:

permissions:
  id-token: write

But that is missing a read permission that would cause the action to be unable to checkout the repo.

It would be better to show a fuller example:

permissions:
  contents: read     # For actions/checkout
  id-token: write    # For Codecov OIDC

[vivodi]

The 'contents: read' permission is granted by default, so there's no need to specify it explicitly.

[rsyring]

Maybe it's a scoping issue? The readme has this code snippet:

permissions:
  id-token: write

And I took that to mean that config should go at the root of workflow. When I put that at the root I could no longer checkout the repository.

Is it supposed to go on the job or task level instead?

- uses: codecov/codecov-action@v5
  with:
    use_oidc: true
    permissions:
      id-token: write

Might point still stands though in that it would be helpful to update the readme to show a bit more context for that permissions block.

[rsyring]

FWIW, I've confirmed that the permissions when used at the top level have to have "contents: read" or my checkout step fails. Additional, a GPT says (for whatever it's worth):

Including contents: read only matters if you’ve overridden the default permissions. As soon as you add a top-level permissions: block, you replace all defaults, so you must explicitly grant read access to your repo for actions/checkout.