fix: post-v0.2.0 review P1s + CI hygiene (v0.2.1)

Security:
- render-link: drop `| safeHTML` on .Text (self-XSS surface w/ Goldmark unsafe:true)
- projects.html: safeURL + noreferrer + target=_blank on repo/demo
- comments: require repo+repoId+categoryId in gate (prevent broken Giscus iframe)
- htmltest-action: pin to commit SHA 31be84a (supply-chain)

Fixed:
- seo.html: nil-safe \$authorURL chain (no nil.url template error)
- nav.html: relURL on Menu.URL (sub-path deploy correctness)
- pages.yml: drop dead if-find Pagefind guard

.github/workflows/pages.yml

@@ -45,12 +45,7 @@ jobs:
         run: hugo --gc --minify --baseURL "https://tiennm99.github.io/tsuki/"
 
       - name: Build Pagefind index
-        run: |
-          if find exampleSite/public -name "*.html" -type f | head -1 | grep -q .; then
-            npx pagefind --site exampleSite/public
-          else
-            echo "No HTML files found yet (layouts not implemented). Skipping Pagefind."
-          fi
+        run: npx pagefind --site exampleSite/public
 
       - name: Assert CSS bundle budget (≤ 4200 B gz)
         run: |
@@ -70,8 +65,8 @@ jobs:
         run: ./scripts/smoke-tests.sh exampleSite/public
 
       - name: htmltest (broken internal links + HTML5 validation)
-        # TODO before v0.2.0 tag: pin @master to a commit SHA (supply-chain hygiene).
-        uses: wjdp/htmltest-action@master
+        # Pinned to master SHA (2026-05-10) for supply-chain hygiene. Refresh periodically.
+        uses: wjdp/htmltest-action@31be84a95c860a331e0cf9a99f71e3eb39d2f86b
         with:
           config: .htmltest.yml