ci: address zizmor findings across existing workflows

Resolves all findings exposed by the new zizmor check in PR #471
so the audit can run clean. Verified locally with zizmor v1.24.1
(0 findings, 34 suppressed).

- artipacked: add `persist-credentials: false` to every
  `actions/checkout` step that didn't already set it.
- cache-poisoning: pass `cache: false` to mise-action in
  `ci.yml` (the lint/format job doesn't need a tool cache).
- template-injection: in test.yml's checksum_failure job,
  move `steps.bad.outcome` from inline template into an
  env var consumed by the shell script.
- excessive-permissions: add minimal workflow-level
  `permissions: contents: read` blocks to ci.yml, test.yml,
  and test-redacted-env.yml; move release.yml's workflow-
  level `contents: write` down to the `release` job only,
  with `enhance-release` getting `contents: read`.

postversion.sh now runs `gh auth setup-git` before
`git push` — the checkout uses `persist-credentials: false`,
so the token isn't in .git/config and raw `git push` would
otherwise 403.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.github/workflows/check-dist.yml

@@ -32,6 +32,8 @@ jobs:
       - name: Checkout
         id: checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
 

.github/workflows/ci.yml

@@ -7,6 +7,9 @@ on:
       - main
       - 'releases/*'
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref_name }}
   cancel-in-progress: true
@@ -20,6 +23,8 @@ jobs:
       - name: Checkout
         id: checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       # `mise.toml` pins both Node and aube; mise-action installs
       # whatever's listed there. Reads `package-lock.json`
@@ -28,6 +33,8 @@ jobs:
       # npm-flat (rollup's `--configPlugin` resolution
       # requires this).
       - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
+        with:
+          cache: false
 
       - name: Install Dependencies
         id: aube-ci

.github/workflows/codeql-analysis.yml

@@ -35,6 +35,8 @@ jobs:
       - name: Checkout
         id: checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: Initialize CodeQL
         id: initialize

.github/workflows/release-plz.yml

@@ -26,6 +26,7 @@ jobs:
           fetch-depth: 0
           submodules: recursive
           token: ${{ secrets.RELEASE_PLZ_GITHUB_TOKEN }}
+          persist-credentials: false
       - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
       - run: mise run release-plz
         env:

.github/workflows/release.yml

@@ -5,19 +5,21 @@ on:
     types: [closed]
     branches: [main]
 
-permissions:
-  contents: write
+permissions: {}
 
 jobs:
   release:
     if: github.event.pull_request.merged == true && contains(github.event.pull_request.labels.*.name, 'release')
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
+          persist-credentials: false
 
       - name: Setup mise
         uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
@@ -30,10 +32,13 @@ jobs:
   enhance-release:
     needs: [release]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
+          persist-credentials: false
       - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
       - name: Enhance release notes with communique
         run: |
@@ -41,4 +46,4 @@ jobs:
           communique generate "$TAG_NAME" --github-release
         env:
           ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
-          GITHUB_TOKEN: ${{ secrets.RELEASE_PLZ_GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.RELEASE_PLZ_GITHUB_TOKEN }}

.github/workflows/test-redacted-env.yml

@@ -7,12 +7,17 @@ on:
     branches: [main]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test-redacted-env:
     runs-on: ubuntu-latest
     
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       
       - name: Create test mise config with sensitive values
         run: |

.github/workflows/test.yml

@@ -8,6 +8,9 @@ on: # rebuild any PRs and main branch changes
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref_name }}
   cancel-in-progress: true
@@ -17,6 +20,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
       - run: aube install
       - run: aubr all
@@ -43,6 +48,8 @@ jobs:
         if: ${{ matrix.requirements }}
         run: ${{ matrix.requirements }}
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup mise
         uses: ./
         with:
@@ -65,6 +72,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup mise
         uses: ./
         with:
@@ -90,6 +99,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup mise
         id: bad
         uses: ./
@@ -107,14 +118,18 @@ jobs:
         if: ${{ steps.bad.outcome == 'failure' }}
       - name: not failed as expected
         run: |
-          echo "Expected failure but the job was ${{ steps.bad.outcome }}"
+          echo "Expected failure but the job was ${STEPS_BAD_OUTCOME}"
           exit 1
         if: ${{ steps.bad.outcome != 'failure' }}
+        env:
+          STEPS_BAD_OUTCOME: ${{ steps.bad.outcome }}
 
   custom_cache_key:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup mise with custom cache key
         uses: ./
         with:
@@ -132,6 +147,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup mise from mise.jdx.dev
         uses: ./
         with:

scripts/postversion.sh

@@ -4,6 +4,11 @@ set -euxo pipefail
 VERSION=$(jq -r .version package.json)
 MAJOR_VERSION=$(echo "$VERSION" | cut -d. -f1)
 
+# Configure git to use gh's credential helper. The checkout step uses
+# persist-credentials: false (per zizmor's artipacked audit), so the
+# token isn't written to .git/config and raw `git push` would 403.
+gh auth setup-git
+
 # create the version tag (allow it to fail if it already exists)
 git tag "v$VERSION" || echo "Tag v$VERSION already exists locally"