Potential fix for code scanning alert no. 5: Workflow does not contain permissions

[SachaMorard]

Potential fix for https://github.com/edgee-cloud/amplitude-component/security/code-scanning/5

To fix the problem, we should explicitly restrict GITHUB_TOKEN permissions for the coverage job so it does not inherit broad repository defaults. The minimal safe starting point recommended by CodeQL is contents: read, and we only need to elevate further if some step in the job actually requires more. The steps in coverage only check out code, install tooling, run tests/coverage, and call the Coveralls action. These operations typically require only read access to the repository contents; they do not push commits, create releases, or modify issues/PRs.

The best targeted fix without changing functionality is:

• Add a permissions: block under the coverage job with contents: read.
• Leave other jobs as they are (the clippy job already has its own permissions block; the others can safely inherit any future workflow-level default or be tightened separately later).

Concretely, in .github/workflows/check.yml, under coverage: (around line 83), insert:

  coverage:
    name: coverage & coveralls
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      ...

No new imports or external dependencies are needed; it is purely a YAML configuration change.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[coveralls]

Pull Request Test Coverage Report for Build 20655753901

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• 1 unchanged line in 1 file lost coverage.
• Overall coverage decreased (-0.1%) to 98.408%

---

Files with Coverage Reduction	New Missed Lines	%
src/lib.rs	1	98.11%

Totals
Change from base Build 18674194011:	-0.1%
Covered Lines:	680
Relevant Lines:	691

---

💛 - Coveralls