default GITHUB_TOKEN is taking precedence over the app's token

[derekmisler]

Related Issues

Closes: https://github.com/docker/gordon/issues/391

Summary

When actions/checkout runs with its default persist-credentials: true, it saves the built-in GITHUB_TOKEN into the local git config. This token takes precedence over the GitHub App token configured by the subsequent Setup credentials step, causing auth failures for operations that need the app's elevated permissions.

This PR fixes the credential precedence issue in release.yml, ensures test.yml builds the action before integration tests, and adds tooling for running workflows locally with act.

Changes

• .github/workflows/release.yml — added persist-credentials: false to all four actions/checkout steps (release, post-release-update, publish-release, major-publish jobs) so the default GITHUB_TOKEN is not persisted in git config and the app token wins
• .github/workflows/test.yml — combined the install and build steps (pnpm install --frozen-lockfile && pnpm build) so the action is compiled before the integration test runs
• scripts/act-local.sh — new helper script for running workflows locally via act; fetches GitHub App credentials from 1Password, generates an installation token via @octokit/auth-app, and passes them to act through a temp env file
• .actrc — configures act defaults (amd64 architecture, node:24-bookworm image)
• .gitignore — added act-related temp files (.input, .secrets); .actrc is intentionally committed
• biome.json — excluded .pnpm-store from linting/formatting

---

Tip

Comment /review to trigger the PR Reviewer agent for automated feedback.
Comment /describe to generate a PR description.