ci: declare contents:read on python-app workflow

[arpitjain099]

Adds a workflow-level permissions: contents: read block. The job here only checks out the repository and runs its tests / validation; no GitHub API call beyond the initial checkout is needed.

CVE-2025-30066 (the March 2025 tj-actions/changed-files supply-chain compromise) is the canonical motivation: a tampered third-party action exfiltrated GITHUB_TOKEN from workflow logs and the leaked token retained whatever scope was issued at the workflow level. Per-workflow caps bound that runtime authority irrespective of repo or org default, give drift protection if the default ever widens, and register with OpenSSF Scorecard's Token-Permissions check (which only credits explicit per-workflow declarations).

YAML validated locally with yaml.safe_load.

[advaitpatel]

Thank you for your contributions. I am happy to approve the PR.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@a3177a9). Learn more about missing BASE report.

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #77   +/-   ##
=======================================
  Coverage        ?   26.33%           
=======================================
  Files           ?       14           
  Lines           ?     1781           
  Branches        ?        0           
=======================================
  Hits            ?      469           
  Misses          ?     1312           
  Partials        ?        0           

Flag	Coverage Δ
unittests	26.33% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.