ci: update deploy workflow from semantic-release docs

See <https://semantic-release.gitbook.io/semantic-release/recipes/ci-configurations/github-actions>

Author: cwillisf

.github/workflows/ci-cd.yml

@@ -15,17 +15,21 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
-  contents: write # publish a GitHub release
-  pages: write # deploy to GitHub Pages
-  issues: write # comment on released issues
-  pull-requests: write # comment on released pull requests
-  id-token: write # allows GHA to generate OIDC tokens
+  contents: read # checkout
 
 jobs:
   build-and-deploy:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # publish a GitHub release
+      id-token: write # allows GHA to generate OIDC tokens
+      issues: write # comment on released issues
+      pages: write # deploy to GitHub Pages
+      pull-requests: write # comment on released pull requests
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        with:
+          persist-credentials: false # automatic GITHUB_TOKEN would interfere with custom one in semantic-release step
 
       - uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3
         with:
@@ -47,6 +51,9 @@ jobs:
       - name: Install dependencies
         run: npm ci
 
+      - name: Audit npm signatures
+        run: npm audit signatures
+
       - name: Setup & Test
         run: |
           mkdir -p ./test/results