ci: Fix zizmor warnings

Author: koki-develop

.github/workflows/ci.yml

@@ -16,6 +16,7 @@ permissions: {}
 
 jobs:
   lint:
+    name: Lint
     timeout-minutes: 10
     runs-on: ubuntu-latest
     permissions:
@@ -28,6 +29,7 @@ jobs:
       - run: bun run lint
 
   build:
+    name: Build
     timeout-minutes: 10
     runs-on: ubuntu-latest
     permissions:
@@ -40,6 +42,7 @@ jobs:
       - run: bun run build
 
   typecheck:
+    name: Type Check
     timeout-minutes: 10
     runs-on: ubuntu-latest
     permissions:
@@ -52,6 +55,7 @@ jobs:
       - run: bun run typecheck
 
   test:
+    name: Test
     timeout-minutes: 10
     runs-on: ubuntu-latest
     permissions:

.github/workflows/claude-renovate-review.yml

@@ -14,12 +14,13 @@ concurrency:
 
 jobs:
   claude-renovate-review:
+    name: Claude Renovate Review
     if: github.event.pull_request.user.login == 'renovate[bot]'
     timeout-minutes: 30
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      pull-requests: write
+      pull-requests: write # Required to post review comments
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:

.github/workflows/github-actions-lint.yml

@@ -18,6 +18,7 @@ concurrency:
 
 jobs:
   actionlint:
+    name: actionlint
     timeout-minutes: 5
     runs-on: ubuntu-latest
     permissions:
@@ -29,6 +30,7 @@ jobs:
       - uses: koki-develop/github-actions-lint/actionlint@62dfef5c9854a07712bad7af3bee7edb0c1109b1 # v1.4.1
 
   ghalint:
+    name: ghalint
     timeout-minutes: 5
     runs-on: ubuntu-latest
     permissions:
@@ -42,6 +44,7 @@ jobs:
           action-path: ./.github/actions/**/action.yml
 
   zizmor:
+    name: zizmor
     timeout-minutes: 5
     runs-on: ubuntu-latest
     permissions:

.github/workflows/release-please.yml

@@ -13,11 +13,12 @@ permissions: {}
 
 jobs:
   release-please:
+    name: Release Please
     timeout-minutes: 10
     permissions:
-      contents: write
-      pull-requests: write
-      issues: write
+      contents: write # Required to create releases and tags
+      pull-requests: write # Required to create and update release PRs
+      issues: write # Required to comment on issues
     runs-on: ubuntu-latest
     outputs:
       should-release: ${{ steps.release-please.outputs.release_created }}
@@ -32,11 +33,13 @@ jobs:
           token: ${{ github.token }}
 
   publish:
+    name: Publish
     needs: release-please
     timeout-minutes: 10
     runs-on: ubuntu-latest
     permissions:
       contents: read
+      id-token: write # Required for npm provenance
     if: ${{ needs.release-please.outputs.should-release == 'true' }}
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -46,12 +49,5 @@ jobs:
       - uses: ./.github/actions/setup
 
       - name: Create .npmrc
-        run: |
-          (
-            # shellcheck disable=SC2016
-            echo '//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}'
-            echo 'registry=https://registry.npmjs.org'
-          ) > .npmrc
-      - run: npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: echo 'registry=https://registry.npmjs.org' > .npmrc
+      - run: npm publish # zizmor: ignore[use-trusted-publishing]