cleanup: grant actions:write and skip manifest refresh on no-op (#100)

Mirrors OpenIPC/firmware#2133. Today's scheduled cleanup run failed
with HTTP 403: Resource not accessible by integration when dispatching
manifest.yml — the prune job only declared contents:write. The refresh
step also fires on the empty-prune path (exit 0 only exits the step,
not the job), which is wasted work since manifest.yml is already kept
fresh by master.yml's workflow_run.

Add actions:write to the permissions block, and gate the refresh on a
step output so it runs only after an actual deletion.

Co-authored-by: John <zekccsripfwrocp-15689@yn.furvionx.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: 3 people

.github/workflows/cleanup.yml

@@ -6,6 +6,7 @@ on:
 
 permissions:
   contents: write
+  actions: write
 
 concurrency:
   group: gh-pages-manifest
@@ -19,6 +20,7 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Delete releases beyond the 90 newest
+        id: prune
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
@@ -29,6 +31,7 @@ jobs:
 
           if [ -z "$to_delete" ]; then
             echo "Nothing to delete; <=90 dated nightlies present."
+            echo "pruned=false" >> "$GITHUB_OUTPUT"
             exit 0
           fi
 
@@ -37,8 +40,10 @@ jobs:
             echo "Deleting $tag"
             gh release delete "$tag" --cleanup-tag --yes
           done
+          echo "pruned=true" >> "$GITHUB_OUTPUT"
 
       - name: Refresh manifest
+        if: steps.prune.outputs.pruned == 'true'
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: gh workflow run manifest.yml