ci(coverage-refresh): add contents:write permission and document push caveat

Add 'permissions: contents: write' at the workflow top level so the
coverage-refresh job is authorized to commit and push the updated
coverage_map.json.gz back to master. Without this, the GITHUB_TOKEN has
only read permissions in newer default permission settings.

Also add a comment on the git push step noting that branch protection
may still reject the default GITHUB_TOKEN and that a PAT or GitHub App
with bypass-branch-protection permission may be needed.

Author: sbryngelson

.github/workflows/coverage-refresh.yml

@@ -9,6 +9,8 @@ on:
       - 'toolchain/mfc/test/cases.py'
       - 'src/**/*.fpp'
   workflow_dispatch:
+permissions:
+  contents: write
 concurrency:
   group: coverage-refresh
   cancel-in-progress: true
@@ -31,6 +33,11 @@ jobs:
             git config user.email "mfc-bot@users.noreply.github.com"
             git add tests/coverage_map.json.gz
             git commit -m "test: refresh coverage map [skip ci]"
+            # NOTE: pushing to a protected default branch requires a token or
+            # GitHub App with bypass-branch-protection permission.  The default
+            # GITHUB_TOKEN may be rejected by branch protection rules; if so,
+            # configure a PAT or App token with the `contents: write` scope and
+            # pass it as `GITHUB_TOKEN` in the environment for this step.
             git push origin HEAD:master
           else
             echo "Coverage map unchanged."