ci: declare workflow-level contents: read on 6 CI workflows

[arpitjain099]

Adds workflow-level permissions: contents: read to six CI workflows: checkDependencies, ci, doCleanCode, pr-checks, unit-tests, version-increments. All run pure checks; no GitHub API writes from the workflows themselves.

Same post-CVE-2025-30066 (tj-actions/changed-files) hardening pattern. YAML validated locally.

[eclipse-eca-validation]

Hi @arpitjain099 — thank you for your contribution!

The Eclipse Contributor Agreement (ECA) check has failed for this pull request due to one of the following reasons:

• Committing user must have an Eclipse Account
• Author must have an Eclipse Account

To resolve this, please:

1. Sign in or create an Eclipse Foundation account: https://accounts.eclipse.org/user/eca
2. Ensure your GitHub username is linked to your Eclipse account
3. Complete and submit the ECA form

Once done, push a new commit (or rebase) to re-trigger the ECA validation.

If you believe you've already completed these steps, please double-check your account settings or report an issue to Eclipse Foundation Helpdesk.

Thanks again for your contribution!

[arpitjain099]

CLA signed

[Copilot]

Pull request overview

This PR hardens the repository’s GitHub Actions configuration by explicitly setting a least-privilege GITHUB_TOKEN at the workflow level (permissions: contents: read) for CI workflows that only run checks.

Changes:

• Add workflow-level permissions: contents: read to six CI workflows to avoid relying on broader default token permissions.
• Align these workflows with the repository’s existing “minimal-by-default, elevate per-job if needed” permissions pattern.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.github/workflows/checkDependencies.yml	Adds workflow-level contents: read permissions.
.github/workflows/ci.yml	Adds workflow-level contents: read permissions.
.github/workflows/doCleanCode.yml	Adds workflow-level contents: read permissions.
.github/workflows/pr-checks.yml	Adds workflow-level contents: read permissions.
.github/workflows/unit-tests.yml	Adds workflow-level contents: read permissions.
.github/workflows/version-increments.yml	Adds workflow-level contents: read permissions.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[akurtakov]

Failure https://github.com/eclipse-platform/eclipse.platform.ui/actions/runs/26947761475 :

Invalid workflow file: .github/workflows/pr-checks.yml#L16
The workflow is not valid. .github/workflows/pr-checks.yml (Line: 16, Col: 3): Error calling workflow 'eclipse-platform/eclipse.platform.releng.aggregator/.github/workflows/verifyFreezePeriod.yml@master'. The workflow is requesting 'issues: read', but is only allowed 'issues: none'.

[arpitjain099]

Failure https://github.com/eclipse-platform/eclipse.platform.ui/actions/runs/26947761475 :

Invalid workflow file: .github/workflows/pr-checks.yml#L16

The workflow is not valid. .github/workflows/pr-checks.yml (Line: 16, Col: 3): Error calling workflow 'eclipse-platform/eclipse.platform.releng.aggregator/.github/workflows/verifyFreezePeriod.yml@master'. The workflow is requesting 'issues: read', but is only allowed 'issues: none'.

Hello @akurtakov let me check tonight.

[github-actions]

Test Results

   861 files  ±0     861 suites  ±0   54m 28s ⏱️ + 1m 7s
 8 034 tests ±0   7 790 ✅ ±0  243 💤 ±0  1 ❌ ±0 
20 541 runs  ±0  19 883 ✅ ±0  655 💤 ±0  3 ❌ ±0 

For more details on these failures, see this check.

Results for commit 44d28ab. ± Comparison against base commit 26fe26b.