Potential fix for https://github.com/green-code-initiative/creedengo-python/security/code-scanning/5

In general, the fix is to add an explicit permissions section specifying the minimal scopes required for the workflow. You can add this either at the root (applies to all jobs) or per job. Here, only the build and upload jobs use GITHUB_TOKEN for release operations, which require contents: write; the checks job only inspects permissions and does not need write access. The cleanest least‑privilege fix is: set restrictive default permissions at the workflow root (e.g., contents: read) and then override them with contents: write only for the jobs that create and upload release assets.

Concretely:

• At the top level of .github/workflows/tag_release.yml, add a permissions: block after name: Tag Release (or after on:) setting contents: read.
• In the build job, add a permissions: block with contents: write because actions/create-release@v1 needs to create a release (which writes to repository contents/releases).
• In the upload job, add a permissions: block with contents: write because actions/upload-release-asset@v1 needs to upload assets to an existing release.
• Leave the checks job with default (inherited) contents: read, which is sufficient since it doesn’t use GITHUB_TOKEN explicitly.

No new imports, methods, or external dependencies are required; this is purely a workflow-permissions configuration change in .github/workflows/tag_release.yml.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.