setup-ci skill templates missing id-token permission and version pinning

[Svtter]

Problem

The /setup-ci skill templates generate workflows that fail on self-hosted runners. Comparing against a working configuration in Svtter/latex-agent, two gaps cause CI failures:

1. Missing id-token: write permission

All generated templates (review, feature-missing, spec-coverage) only include:

permissions:
  contents: read
  pull-requests: write
  issues: write

But working configs require id-token: write. Without it, the opencode action fails on self-hosted runners (process exits with code 1).

2. Missing version parameter

The templates don't include the version input for pinning the opencode binary. Working configs use:

uses: Svtter/opencode-actions/review@v2
with:
  version: "1.14.29"

Without version pinning, the action may pull an incompatible or broken opencode release.

Suggested Fix

Update all templates in the /setup-ci skill to:

1. Add id-token: write to the permissions block
2. Add version: "1.14.29" (or latest stable) to all action invocations

Working Reference

The Svtter/latex-agent repo has working configs that can be used as the source of truth:

• .github/workflows/opencode-review.yml
• .github/workflows/opencode-feature-missing.yml