ci(lint): scope super-linter to changed files + repo's actual languages (#68)

* ci(lint): only validate changed files, scope linters to languages in repo

Lint was running on `claude/**` push events with no DEFAULT_BRANCH and
no VALIDATE_ALL_CODEBASE setting, causing super-linter to fall back to
scanning the whole repo. That surfaced unrelated pre-existing failures
(Python, TypeScript, HTML, Markdown linters firing on files no PR ever
touched) and made the check effectively unmergeable for any branch.

Changes:

- Add `master` to push/PR branch filters so the default branch is
  actually linted (it had `total_count: 0` runs before this).
- Set `DEFAULT_BRANCH: master` so super-linter can diff against the
  right base in push events.
- Set `VALIDATE_ALL_CODEBASE: false` explicitly to enforce
  changed-files-only behavior.
- Disable the language linters that don't apply to this repo's actual
  content (no Python, TypeScript, HTML, or natural-language prose to
  lint). Keep BASH, YAML, GitHub Actions, JSON, Checkov, Markdown,
  and codespell.

* ci(lint): satisfy yamllint/prettier/zizmor on lint.yml itself

- add `---` document start
- quote `"on":` so yamllint's truthy rule stops fighting prettier
- pin actions/checkout and super-linter to SHA (zizmor unpinned-uses)
- add persist-credentials: false on checkout

Author: duyet

.github/workflows/lint.yml

@@ -1,13 +1,17 @@
+---
 name: Lint
 
-on: # yamllint disable-line rule:truthy
+# yamllint disable rule:truthy
+"on":
   push:
     branches:
       - main
+      - master
       - "claude/**"
   pull_request:
     branches:
       - main
+      - master
 
 permissions: {}
 
@@ -23,12 +27,32 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        # actions/checkout v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           fetch-depth: 0
           persist-credentials: false
 
       - name: Super-linter
-        uses: super-linter/super-linter@v8.6.0
+        # super-linter v8.6.0
+        uses: super-linter/super-linter@9e863354e3ff62e0727d37183162c4a88873df41
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          DEFAULT_BRANCH: master
+          VALIDATE_ALL_CODEBASE: false
+          VALIDATE_BASH: true
+          VALIDATE_BASH_EXEC: true
+          VALIDATE_CHECKOV: true
+          VALIDATE_GITHUB_ACTIONS: true
+          VALIDATE_GITHUB_ACTIONS_ZIZMOR: true
+          VALIDATE_GITLEAKS: true
+          VALIDATE_GIT_MERGE_CONFLICT_MARKERS: true
+          VALIDATE_JSON: true
+          VALIDATE_JSON_PRETTIER: true
+          VALIDATE_MARKDOWN: true
+          VALIDATE_MARKDOWN_PRETTIER: true
+          VALIDATE_RENOVATE: true
+          VALIDATE_SHELL_SHFMT: true
+          VALIDATE_TRIVY: true
+          VALIDATE_YAML: true
+          VALIDATE_YAML_PRETTIER: true