ci: address zizmor findings across existing workflows

Resolves all findings exposed by the new zizmor check in PR #471
so the audit can run clean. Verified locally with zizmor v1.24.1
(0 findings, 34 suppressed).

- artipacked: add `persist-credentials: false` to every
  `actions/checkout` step that didn't already set it.
- cache-poisoning: pass `cache: false` to mise-action in
  `ci.yml` (the lint/format job doesn't need a tool cache).
- template-injection: in test.yml's checksum_failure job,
  move `steps.bad.outcome` from inline template into an
  env var consumed by the shell script.
- excessive-permissions: add minimal workflow-level
  `permissions: contents: read` blocks to ci.yml, test.yml,
  and test-redacted-env.yml; move release.yml's workflow-
  level `contents: write` down to the `release` job only,
  with `enhance-release` getting `contents: read`.

postversion.sh now runs `gh auth setup-git` before
`git push` — the checkout uses `persist-credentials: false`,
so the token isn't in .git/config and raw `git push` would
otherwise 403.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.github/workflows/codeql-analysis.yml

@@ -35,6 +35,8 @@ jobs:
       - name: Checkout
         id: checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: Initialize CodeQL
         id: initialize