Resolves all findings exposed by the new zizmor check in PR #471
so the audit can run clean. Verified locally with zizmor v1.24.1
(0 findings, 34 suppressed).
- artipacked: add `persist-credentials: false` to every
`actions/checkout` step that didn't already set it.
- cache-poisoning: pass `cache: false` to mise-action in
`ci.yml` (the lint/format job doesn't need a tool cache).
- template-injection: in test.yml's checksum_failure job,
move `steps.bad.outcome` from inline template into an
env var consumed by the shell script.
- excessive-permissions: add minimal workflow-level
`permissions: contents: read` blocks to ci.yml, test.yml,
and test-redacted-env.yml; move release.yml's workflow-
level `contents: write` down to the `release` job only,
with `enhance-release` getting `contents: read`.
postversion.sh now runs `gh auth setup-git` before
`git push` — the checkout uses `persist-credentials: false`,
so the token isn't in .git/config and raw `git push` would
otherwise 403.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
