[codex] Harden site workflows and template escaping

[systemreliability]

Summary

This draft PR hardens the site build/deploy path and a couple of template surfaces found during the code review.

• Split the deploy workflow so PR builds run with repository contents: read, while deployment-only runs get contents: write.
• Removed fjogeleit/yaml-update-action@main and replaced it with a local Ruby one-liner in the deploy-only job.
• Pinned remaining GitHub Actions in the deploy workflow to the commit SHAs currently resolved from their version refs.
• Escaped Distill front matter values with Liquid jsonify before embedding them into the JSON script block.
• Removed the global PlumX popup script from the shared head include and load it only on the publications page over explicit HTTPS.

How to check

1. Open the Files changed tab and confirm only these files changed:
   • .github/workflows/deploy.yml
   • _layouts/distill.liquid
   • _includes/head.liquid
   • _pages/publications.md
2. Wait for PR checks to finish. The important one for this change is the Deploy site / build workflow on the pull request.
3. In the Actions logs for the PR build, confirm the workflow has only read-level repository permissions and no Deploy step runs.
4. Review the rendered diff for _layouts/distill.liquid and verify the generated JSON values now use jsonify.
5. After merging, watch the push-triggered Deploy site / deploy workflow. It should build and deploy normally.

Final merge path

• Keep this PR as draft until the PR build check is green.
• When satisfied, click Ready for review, then Squash and merge or Merge pull request into main.
• After merge, verify the live site and the publications page, especially publication badges/PlumX popups.

Notes

This intentionally does not change the broader al-folio templates or content data. It focuses on the review findings with the largest risk surface: PR token permissions, mutable workflow action refs, JSON escaping in Distill front matter, and duplicate protocol-relative PlumX script loading.