chore: migrate workflow linting to mise-managed tools (#2656)

* chore: migrate workflow linting to mise-managed tools

Replace curl-downloaded actionlint and uvx-based zizmor with
mise-managed versions. Remove the shell script wrapper and call
tools directly from package.json. Fix zizmor findings by adding
GitHub Environment for secrets and persist-credentials: false.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* fix: remove zizmor config reference from actions-lint workflow

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>

Author: devmgn

.github/workflows/actions-lint.yml

@@ -32,7 +32,5 @@ jobs:
 
       - name: zizmor
         uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
-        with:
-          config: .github/zizmor.yml
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/update-msw.yml

@@ -16,25 +16,29 @@ jobs:
   UpdateMSW:
     if: github.event_name == 'workflow_dispatch' || startsWith(github.ref_name, 'renovate/')
     runs-on: ubuntu-24.04
+    environment: bot
     timeout-minutes: 10
     permissions:
       contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          token: ${{ secrets.PUSH_TOKEN }}
+          persist-credentials: false
 
       - name: Setup Project
         uses: ./.github/actions/setup
 
       - name: Update and commit mockServiceWorker.js
+        env:
+          PUSH_TOKEN: ${{ secrets.PUSH_TOKEN }}
         run: |
           pnpm msw init public --save
           git add public/mockServiceWorker.js
           if ! git diff --staged --quiet; then
             git config user.name "github-actions[bot]"
             git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+            git remote set-url origin "https://x-access-token:${PUSH_TOKEN}@github.com/${{ github.repository }}.git"
             git commit -m "chore: update mockServiceWorker.js"
             git push
           fi

.github/zizmor.yml

@@ -1,3 +1,4 @@
-nodejs 24.14.0
-pnpm 10.32.1
-uv 0.11.0
+actionlint 1.7.11
+nodejs     24.14.0
+pnpm       10.32.1
+zizmor     1.23.1

.tool-versions

@@ -10,7 +10,7 @@
     "fix": "pnpm lint:fix && pnpm fmt:fix",
     "lint": "oxlint",
     "lint:fix": "oxlint --fix",
-    "lint:workflows": "bash scripts/lint-workflows.sh",
+    "lint:workflows": "actionlint -color && zizmor .github/workflows/",
     "fmt": "oxfmt --check .",
     "fmt:fix": "oxfmt --write .",
     "knip": "knip --strict --cache",