chore: harden GitHub Actions (P-2208) (#28)

- Delete with-next-app-router/.github/workflows/lint.yaml (stale; nested
  path GHA never executes; pinned actions/checkout@master)
- build.yml: add workflow-level permissions: contents: read
- build.yml: persist-credentials: false on all 3 checkouts
- build.yml: quote $AUDIT_LEVEL in pnpm audit (SC2086)

Refs P-2208.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: keiloktql

.github/workflows/build.yml

@@ -1,5 +1,8 @@
 name: Build Examples
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [main]
@@ -14,6 +17,8 @@ jobs:
       any: ${{ steps.set.outputs.any }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3.0.3
         id: filter
         with:
@@ -118,6 +123,8 @@ jobs:
     name: ${{ matrix.name }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
@@ -200,6 +207,8 @@ jobs:
     name: audit (${{ matrix.name }})
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
@@ -221,4 +230,4 @@ jobs:
           # unfixable transitive findings (e.g. bigint-buffer has no
           # patched upstream release yet).
           AUDIT_LEVEL: ${{ matrix.audit || 'high' }}
-        run: pnpm audit --prod --audit-level=$AUDIT_LEVEL
+        run: pnpm audit --prod --audit-level="$AUDIT_LEVEL"