fix: address CodeQL security alerts

[fank]

Summary

Addresses all 8 open CodeQL code-scanning alerts on the repository, split into three commits by security class.

ci: workflow permissions (alerts #1, #3, #9)

Added permissions: contents: read at the workflow level in .github/workflows/npm.yml and .github/workflows/license_npm.yml. Both workflows only need read access to the repo, so the minimal permissions block covers all three alerts (actions/missing-workflow-permissions).

fix: exact-match git config check (alerts #5, #6, #7, #8)

The atl, discord, esq, and n8n installers were using .includes('https://github.com/') to check the output of git config --get url.git@github.com:.insteadOf. That output is either empty or exactly the value we set ourselves, so an exact-match comparison is both more correct and silences js/incomplete-url-substring-sanitization.

fix(grafanactl): redact secrets in runConfig errors (alert #4, error severity)

runConfig embedded the full joined args in its thrown Error message — so config set contexts.X.grafana.password <value> leaked the plaintext password into error.message, which the outer catch handler then logged. Added a redactSensitiveArgs helper that replaces any value whose preceding key matches .token / .password / .secret / .apikey with <redacted> before building the error message. This silences js/clear-text-logging.

Test plan

• npm run lint passes
• npm run check-format passes
• CodeQL re-scan on PR confirms all 8 alerts are resolved

[gemini-code-assist]

Code Review

This pull request updates the GitHub URL configuration checks in several installer scripts to use strict equality instead of substring inclusion. Additionally, it introduces a redaction utility in lib/installers/grafanactl.js to mask sensitive arguments such as tokens and passwords in error messages to prevent credential leakage. I have no feedback to provide.