[chore] pin version for npm tooling (#10905)

The repo uses markdown-link-check and not having a package.json file to
pin the version causes dependabot security checks sadness. Following the
same pattern as the specification repo for storing package.json in the
root of the repo.

---------

Signed-off-by: Alex Boten <[email protected]>

Author: codeboten

.github/workflows/changelog.yml

@@ -77,10 +77,10 @@ jobs:
       - name: Render .chloggen changelog entries
         run: make chlog-preview > changelog_preview.md
       - name: Install markdown-link-check
-        run: npm install -g markdown-link-check
+        run: npm install
       - name: Run markdown-link-check
         run: |
-          markdown-link-check \
+          npx --no -- markdown-link-check \
             --verbose \
             --config .github/workflows/check_links_config.json \
             changelog_preview.md \

.github/workflows/check-links.yaml

@@ -1,7 +1,7 @@
 name: check-links
 on:
   push:
-    branches: [ main ]
+    branches: [main]
   pull_request:
 
 concurrency:
@@ -39,11 +39,11 @@ jobs:
           fetch-depth: 0
 
       - name: Install markdown-link-check
-        run: npm install -g [email protected]
+        run: npm install
 
       - name: Run markdown-link-check
         run: |
-          markdown-link-check \
+          npx --no -- markdown-link-check \
             --verbose \
             --config .github/workflows/check_links_config.json \
             ${{needs.changedfiles.outputs.md}} \

.gitignore

@@ -31,3 +31,8 @@ benchmarks.txt
 
 # golang
 go.work*
+
+# npm (used for markdown-link-check)
+node_modules/*
+package-lock.json
+

package.json

@@ -0,0 +1,5 @@
+{
+  "devDependencies": {
+    "markdown-link-check": "^3.11.2"
+  }
+}