ci: declare workflow-level contents: read on unit-test and ci-pull_request

[arpitjain099]

Both workflows run tests / CI only. No GitHub API writes, so workflow-level contents: read is the right cap.

Post-CVE-2025-30066 (tj-actions/changed-files) hardening pattern. YAML validated locally.

[mergify]

This pull request does not have a backport label. Could you fix it @arpitjain099? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v./d./d./d is the label to automatically backport to the 8./d branch. /d is the digit
• backport-active-all is the label that automatically backports to all active branches.
• backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
• backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

[arpitjain099]

Hey, I don't have write on the repo so can't add a label myself. For a workflow-perms PR like this I'd suggest backport-skip since the change is on the CI workflow file (not application code) and release branches typically don't get CI hardening pushed back. If you'd rather backport to an active branch, happy to follow up; just point me at the right backport-v8.x.x label and I'll mark it in a comment so a maintainer can apply.

[arpitjain099]

Closing as duplicate of #6311 (earlier PR with overlapping scope), apologies for the noise.