## Summary
- Follow-up to [#471](https://github.com/jdx/mise-action/pull/471): the
release-plz checkout now uses `persist-credentials: false`, so the token
isn't written to `.git/config` and `git push origin release --force` in
[scripts/release-plz.sh](scripts/release-plz.sh) would 403.
- Mirror the workaround already applied to
[scripts/postversion.sh:9](scripts/postversion.sh:9) by calling `gh auth
setup-git` after the `git config user.{name,email}` block, before any
`git push`.
Flagged by Cursor Bugbot on
https://github.com/jdx/mise-action/pull/471#pullrequestreview-4275760577.
## Test plan
- [ ] Next scheduled release-plz run (or manual `workflow_dispatch`)
successfully pushes the `release` branch without a 403.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Low risk CI-only change that affects the release automation path; main
impact is whether the workflow can successfully push the `release`
branch.
>
> **Overview**
> Fixes the `scripts/release-plz.sh` release automation to run `gh auth
setup-git` after setting the git author, ensuring `git push` works when
`actions/checkout` uses `persist-credentials: false`.
>
> This prevents 403 failures when pushing the forced `release` branch
during automated version bump PR creation.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
f69419101e. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds [zizmor](https://github.com/zizmorcore/zizmor) to audit GitHub
Actions workflows for security issues. Runs on push to main and on PRs
that change `.github/workflows/**`. Fails CI on any finding.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Mostly CI/workflow hardening, but it also changes release automation
(`postversion.sh`) and workflow permissions/credentials behavior, which
could break tagging/publishing if misconfigured.
>
> **Overview**
> Adds a new `zizmor` workflow that runs on PRs/pushes touching
`.github/workflows/**` to security-audit workflows.
>
> Hardens existing workflows by defaulting to least-privilege
`permissions`, setting `actions/checkout` to `persist-credentials:
false`, and adjusting related behavior (e.g., `scripts/postversion.sh`
now runs `gh auth setup-git` so `git push` still works; `ci.yml`
disables `mise-action` caching; `test.yml` avoids interpolating
`steps.bad.outcome` inside a shell string by passing it via env).
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
d878aee510. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* Change test tool for future alpine CI testing
* replace node with jq as it doesnt require any build on alpine
* Fix alpine musl container install
* add tests around mise install in alpine container
* add support for musl os
Fixes: https://github.com/jdx/mise-action/issues/186
* alpine needs bash to run test.sh script
* remove unneeded logs
* Update test.yml
* Update test.yml
