Fix release auto-dispatch perms + restrict auto-tag paths

- `gh workflow run` requires actions:write, not just contents:write.
  Add it to both Auto-tag and Bump & Release workflows so the dispatch
  step stops failing with HTTP 403.
- Auto-tag's paths filter no longer includes workflow files. Workflow
  edits don't change the binary, so they shouldn't auto-bump the
  version. (That's what produced the spurious v0.1.2 / v0.1.3 tags
  while iterating on the workflows themselves.)

Author: gek0z

.github/workflows/auto-tag.yml

@@ -16,15 +16,17 @@ on:
   push:
     branches: [main]
     paths:
+      # Only files that affect the produced binary trigger an auto-tag.
+      # Workflow / CI changes do *not* — that was the source of the
+      # version-inflation we got while iterating on the workflows themselves.
       - "Sources/**"
       - "Tests/**"
       - "project.yml"
       - "bootstrap.sh"
-      - ".github/workflows/release.yml"
-      - ".github/workflows/auto-tag.yml"
 
 permissions:
   contents: write
+  actions: write   # required by `gh workflow run` to dispatch Release
 
 concurrency:
   group: auto-tag-main

.github/workflows/bump-release.yml

@@ -23,6 +23,7 @@ on:
 
 permissions:
   contents: write
+  actions: write   # required by `gh workflow run` to dispatch Release
 
 jobs:
   tag: