Fix CI workflow: actionlint install, zizmor, and permissions

- Use actionlint's official download script instead of hardcoded URL
  missing the version number in the asset filename
- Use pipx run for zizmor to avoid PATH and PEP 668 issues
- Add explicit permissions: contents: read to both workflows to
  satisfy zizmor's excessive-permissions audit

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.github/workflows/ci.yml

@@ -18,6 +18,9 @@ on:
       - ".gitignore"
       - ".github/workflows/deploy.yml"
 
+permissions:
+  contents: read
+
 jobs:
   backend-lint:
     runs-on: ubuntu-latest
@@ -45,14 +48,12 @@ jobs:
           persist-credentials: false
       - name: Install actionlint
         run: |
-          curl -sL https://github.com/rhysd/actionlint/releases/latest/download/actionlint_linux_amd64.tar.gz | tar xz
+          bash <(curl -sL https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
           sudo mv actionlint /usr/local/bin/
       - name: Lint GitHub Actions
         run: actionlint
-      - name: Install zizmor
-        run: pip install zizmor
       - name: Audit GitHub Actions security
-        run: zizmor .github/workflows/
+        run: pipx run zizmor .github/workflows/
 
   frontend-lint:
     runs-on: ubuntu-latest

.github/workflows/deploy.yml

@@ -3,6 +3,9 @@ name: Deploy
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   deploy:
     runs-on: ubuntu-latest