fix(ci): grant actions:read and contents:read to E2E label helper

[pimlock]

Summary

The E2E Label Help workflow's gh api calls silently failed permission checks. The job had only pull-requests: write, but it also calls:

• gh api repos/<repo>/branches/<ref> (needs contents: read)
• gh api repos/<repo>/actions/workflows/<file>/runs (needs actions: read)

Without those, the workflow-runs lookup returned empty and the helper fell back to linking the all-runs page for the workflow instead of the specific run for the PR head SHA. Posting comments still worked because that uses pull-requests: write.

Spotted while testing #990 by re-applying test:e2e to this PR and observing the comment linked to the workflow's all-runs page rather than the run for this PR's SHA. The same gh api .../runs?head_sha=<sha> call returns the run when run locally with a PAT.

Also includes a tiny CI.md wording tweak from the original test commit ("stays neutral" → "passes as a no-op", since the gate's no-label path exits 0 / green, not neutral).

Changes

• .github/workflows/e2e-label-help.yml - add actions: read and contents: read to the hint job.
• architecture/ci-e2e.md - update the permissions table to match.
• CI.md - clarify gate-with-no-label state.

Testing

pull_request_target workflow files are loaded from the base branch (main), so the fix only takes effect after this PR merges. Verification on a future PR:

• Apply test:e2e, confirm the E2E Label Help comment links to the specific Branch E2E Checks run for the PR head SHA, not the workflow's all-runs page.
• Apply test:e2e before copy-pr-bot mirrors the PR, confirm the comment instead tells the maintainer to run /ok to test <SHA>.

Checklist

• Conventional commit message
• DCO sign-off
• Commits signed

[github-actions]

Label test:e2e applied for 9c4d0b4. Open Branch E2E Checks and click Re-run all jobs to execute with the label set. The E2E Gate check on this PR will flip green automatically once the run finishes.