fix(ci): repair broken weekly-update workflow YAML (#73)

* fix(ci): repair broken weekly-update workflow YAML

The workflow was invalid YAML since creation — the `gh pr create --body`
multiline string had unindented continuation lines that broke the YAML
block scalar. Also fixes exit code capture (PIPESTATUS instead of $?)
after pipe to tee, and adds token-based auth for git push since
persist-credentials is disabled.

* chore: add zizmor config to disable secrets-outside-env

* fix: wrap zizmor config under rules key

Author: jdalton

.github/workflows/weekly-update.yml

@@ -107,12 +107,15 @@ jobs:
             exit 0
           fi
 
+          set +e
           claude --print --dangerously-skip-permissions \
             --model sonnet \
             "/updating - Run the updating skill to update all dependencies. Create atomic commits for each update. You are running in CI mode - skip builds and tests. Do not push or create a PR." \
             2>&1 | tee claude-output.log
+          CLAUDE_EXIT=${PIPESTATUS[0]}
+          set -e
 
-          if [ $? -eq 0 ]; then
+          if [ "$CLAUDE_EXIT" -eq 0 ]; then
             echo "success=true" >> $GITHUB_OUTPUT
           else
             echo "success=false" >> $GITHUB_OUTPUT
@@ -130,8 +133,11 @@ jobs:
       - name: Push branch
         if: steps.claude.outputs.success == 'true' && steps.changes.outputs.has-changes == 'true'
         env:
+          GH_TOKEN: ${{ github.token }}
           BRANCH_NAME: ${{ steps.branch.outputs.branch }}
-        run: git push origin "$BRANCH_NAME"
+        run: |
+          git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git"
+          git push origin "$BRANCH_NAME"
 
       - name: Create Pull Request
         if: steps.claude.outputs.success == 'true' && steps.changes.outputs.has-changes == 'true'
@@ -141,27 +147,27 @@ jobs:
         run: |
           COMMITS=$(git log --oneline origin/main..HEAD)
           COMMIT_COUNT=$(git rev-list --count origin/main..HEAD)
+          PR_BODY="## Weekly Dependency Update
 
-          gh pr create \
-            --title "chore(deps): weekly dependency update ($(date +%Y-%m-%d))" \
-            --body "## Weekly Dependency Update
+          Automated weekly update of npm packages.
 
-Automated weekly update of npm packages.
+          ### Commits (${COMMIT_COUNT})
 
-### Commits (${COMMIT_COUNT})
+          <details>
+          <summary>View commit history</summary>
 
-<details>
-<summary>View commit history</summary>
+          \`\`\`
+          ${COMMITS}
+          \`\`\`
 
-\`\`\`
-${COMMITS}
-\`\`\`
+          </details>
 
-</details>
+          ---
 
----
-
-<sub>Generated by [weekly-update.yml](.github/workflows/weekly-update.yml)</sub>" \
+          <sub>Generated by [weekly-update.yml](.github/workflows/weekly-update.yml)</sub>"
+          gh pr create \
+            --title "chore(deps): weekly dependency update ($(date +%Y-%m-%d))" \
+            --body "$PR_BODY" \
             --draft \
             --head "$BRANCH_NAME" \
             --base main

.github/zizmor.yml

@@ -0,0 +1,3 @@
+rules:
+  secrets-outside-env:
+    disable: true