ci: address zizmor findings across existing workflows

Resolves all findings exposed by the new zizmor check in PR #471
so the audit can run clean. Verified locally with zizmor v1.24.1
(0 findings, 34 suppressed).

- artipacked: add `persist-credentials: false` to every
  `actions/checkout` step that didn't already set it.
- cache-poisoning: pass `cache: false` to mise-action in
  `ci.yml` (the lint/format job doesn't need a tool cache).
- template-injection: in test.yml's checksum_failure job,
  move `steps.bad.outcome` from inline template into an
  env var consumed by the shell script.
- excessive-permissions: add minimal workflow-level
  `permissions: contents: read` blocks to ci.yml, test.yml,
  and test-redacted-env.yml; move release.yml's workflow-
  level `contents: write` down to the `release` job only,
  with `enhance-release` getting `contents: read`.

postversion.sh now runs `gh auth setup-git` before
`git push` — the checkout uses `persist-credentials: false`,
so the token isn't in .git/config and raw `git push` would
otherwise 403.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

scripts/postversion.sh

@@ -4,6 +4,11 @@ set -euxo pipefail
 VERSION=$(jq -r .version package.json)
 MAJOR_VERSION=$(echo "$VERSION" | cut -d. -f1)
 
+# Configure git to use gh's credential helper. The checkout step uses
+# persist-credentials: false (per zizmor's artipacked audit), so the
+# token isn't written to .git/config and raw `git push` would 403.
+gh auth setup-git
+
 # create the version tag (allow it to fail if it already exists)
 git tag "v$VERSION" || echo "Tag v$VERSION already exists locally"