diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8992ecca..69622880 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -48,9 +48,8 @@ jobs:
   tidy:
     uses: taiki-e/github-actions/.github/workflows/tidy.yml@main
     permissions:
-      contents: read
-      pull-requests: write # for gh pr edit --add-assignee
-      repository-projects: read # for gh pr edit --add-assignee
+      contents: write # for creating branch for pr
+      pull-requests: write # unused (used in `codegen-automerge: true` case)
       security-events: write # for github/codeql-action/*
     secrets: inherit
 
diff --git a/.github/workflows/manifest.yml b/.github/workflows/manifest.yml
index 02f9eac5..dae4f3ae 100644
--- a/.github/workflows/manifest.yml
+++ b/.github/workflows/manifest.yml
@@ -35,9 +35,8 @@ jobs:
   manifest:
     uses: taiki-e/github-actions/.github/workflows/gen.yml@main
     permissions:
-      contents: read
-      pull-requests: write # for gh pr edit --add-assignee / gh pr review --approve
-      repository-projects: read # for gh pr edit --add-assignee
+      contents: write # for creating branch for pr
+      pull-requests: write # for gh pr review --approve
     secrets: inherit
     with:
       script: tools/manifest.sh
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
index 4392703f..76b9bac6 100644
--- a/.github/zizmor.yml
+++ b/.github/zizmor.yml
@@ -2,7 +2,7 @@
 # https://docs.zizmor.sh/configuration/
 
 rules:
-  dependabot-cooldown: { disable: true } # Useless unless hash-pin is forced by unpinned-uses.
+  dependabot-cooldown: { disable: true } # Unless dependencies are pinned/locked, the effect is limited.
   secrets-inherit: { disable: true }
   unpinned-uses:
     config: