fix(ci): resolve super-linter failures

- Set DEFAULT_BRANCH to current branch to fix 'master not found' error
- Use fetch-depth: 0 so GITHUB_BEFORE_SHA can be resolved
- Set update_etl.sh executable bit (BASH_EXEC)
- Fix .codespellrc tab indentation (EDITORCONFIG)
- Add .gitleaks.toml allowlist for GA4 Measurement Protocol API secret (GITLEAKS)
- Fix .markdown-lint.yml: disable MD030/MD013/MD033/MD041/MD051 to match
  existing repo style (MARKDOWN)

Author: dgibbs64

.github/linters/.codespellrc

@@ -1,11 +1,11 @@
 [codespell]
 # Skip data tables that contain many short server identifiers (e.g. "fof", "nd")
 skip =
-	lgsm/data/*.csv,
-	package-lock.json,
-	*/package-lock.json,
-	node_modules,
-	*/node_modules/*
+    lgsm/data/*.csv,
+    package-lock.json,
+    */package-lock.json,
+    node_modules,
+    */node_modules/*
 
 # Ignore common identifiers/acronyms and extensions used throughout LinuxGSM
 ignore-words-list = distroname,fof,nd,sav,parms,ThirdParty

.github/linters/.gitleaks.toml

@@ -0,0 +1,9 @@
+title = "LinuxGSM Gitleaks Config"
+
+[allowlist]
+  description = "Known false positives"
+  regexes = [
+    # Google Analytics 4 Measurement Protocol API secret - not a sensitive credential,
+    # it is intentionally embedded in client-side code and is safe to be public.
+    '''apisecret="[A-Za-z0-9_\-]+"''',
+  ]

.github/linters/.markdown-lint.yml

@@ -12,12 +12,9 @@ MD013: false
 # MD033: The main README uses inline HTML for badges.
 MD033: false
 
-# Match existing list formatting in this repo.
+# MD007: Repo uses 2-space indentation for nested lists.
 MD007:
-  indent: 4
+  indent: 2
 
-MD030:
-  ul_single: 3
-  ol_single: 2
-  ul_multi: 3
-  ol_multi: 2
+# MD030: Repo mixes 1-space unordered and 2-space ordered list markers.
+MD030: false

.github/workflows/action-super-linter.yml

@@ -27,9 +27,8 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v6
         with:
-          # Shallow clone reduces transient fetch failures (HTTP 500) from GitHub.
-          # We lint the whole codebase instead of relying on git history.
-          fetch-depth: 1
+          # Full clone required so super-linter can resolve GITHUB_BEFORE_SHA.
+          fetch-depth: 0
           fetch-tags: false
           persist-credentials: false
 
@@ -42,6 +41,7 @@ jobs:
         env:
           # To report GitHub Actions status checks
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          DEFAULT_BRANCH: ${{ github.ref_name }}
           VALIDATE_BIOME_FORMAT: false
           VALIDATE_BIOME_LINT: false
           VALIDATE_GITHUB_ACTIONS_ZIZMOR: false