ci: Update config

.github/workflows/ci.yml

@@ -48,9 +48,8 @@ jobs:
   tidy:
     uses: taiki-e/github-actions/.github/workflows/tidy.yml@main
     permissions:
-      contents: read
-      pull-requests: write # for gh pr edit --add-assignee
-      repository-projects: read # for gh pr edit --add-assignee
+      contents: write # for creating branch for pr
+      pull-requests: write # unused (used in `codegen-automerge: true` case)
       security-events: write # for github/codeql-action/*
     secrets: inherit
 

.github/workflows/manifest.yml

@@ -35,9 +35,8 @@ jobs:
   manifest:
     uses: taiki-e/github-actions/.github/workflows/gen.yml@main
     permissions:
-      contents: read
-      pull-requests: write # for gh pr edit --add-assignee / gh pr review --approve
-      repository-projects: read # for gh pr edit --add-assignee
+      contents: write # for creating branch for pr
+      pull-requests: write # for gh pr review --approve
     secrets: inherit
     with:
       script: tools/manifest.sh

.github/zizmor.yml

@@ -2,7 +2,7 @@
 # https://docs.zizmor.sh/configuration/
 
 rules:
-  dependabot-cooldown: { disable: true } # Useless unless hash-pin is forced by unpinned-uses.
+  dependabot-cooldown: { disable: true } # Unless dependencies are pinned/locked, the effect is limited.
   secrets-inherit: { disable: true }
   unpinned-uses:
     config: