- Use actionlint's official download script instead of hardcoded URL
missing the version number in the asset filename
- Use pipx run for zizmor to avoid PATH and PEP 668 issues
- Add explicit permissions: contents: read to both workflows to
satisfy zizmor's excessive-permissions audit
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
