Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 25-31: Replace unpinned, tag-based GH Actions and enable
non-persisted checkout for the Nix step: pin dtolnay/rust-toolchain,
Swatinem/rust-cache, cachix/install-nix-action and actions/checkout references
to specific commit SHAs (not tags) and in the checkout step used for Nix set
persist-credentials: false; update any existing uses of actions/checkout@v4 to
the pinned SHA and add persist-credentials: false under the checkout step that
prepares the Nix environment so the auth token is not persisted.

In @.github/workflows/release.yml:
- Around line 55-56: Update the "Cache Cargo" step that uses
Swatinem/rust-cache@v2 to make the cache read-only for the tag-triggered release
workflow by adding the input flag to disable saving (set save-if: false) under
the step's with: section so the action will not write or update the cache during
this privileged job.
- Around line 50-56: Replace the mutable action tags in the release workflow
with pinned commit SHAs: change dtolnay/rust-toolchain@stable,
Swatinem/rust-cache@v2, and softprops/action-gh-release@v2 to their respective
commit SHA refs so the workflow uses exact commits instead of tags;
additionally, for the Swatinem/rust-cache step (the action named "Cache Cargo")
add the configuration to disable writes (e.g., set the save-if / restore-only
equivalent such as with: save-if: "false" or the action's restore-only option)
so the release run only restores cache and never updates it.

In `@README.md`:
- Around line 133-139: Replace the incorrect markdown link syntax in the bash
example so the git clone command is a valid shell command: change the line
containing "git clone
[https://github.com/akriaueno/why-cli.git](https://github.com/akriaueno/why-cli.git)"
to use a plain URL after git clone (i.e., `git clone
https://github.com/akriaueno/why-cli.git`) so copy/pasting the README's setup
steps works as intended.

In `@src/core.rs`:
- Around line 348-355: The check that decides to use the Flatpak fallback
incorrectly treats explicit paths like "/usr/bin/ls" as missing because
file_name(&origin_path) != command_name; update the conditional in
find_origin_path so it first detects if the original command_name is an explicit
path (contains path separator or starts with '.'), and only perform the
file_name comparison or call find_flatpak_fallback when command_name is not a
path; in other words, skip the file_name(&origin_path) != command_name branch
for explicit paths and fallback to flatpak only when origin_path.is_empty() or
the non-path command's file_name doesn't match.
- Around line 66-72: The pattern list used by detect_provider_by_path contains a
case-mismatched entry "/usr/local/cellar" which will not match Intel macOS
Homebrew installs; update the patterns array (the patterns variable used in
detect_provider_by_path in src/core.rs) to use the correct casing
"/usr/local/Cellar" so the path comparison can match Intel Homebrew prefixes.

---

Nitpick comments:
In `@tests/e2e/Builder.Dockerfile`:
- Line 1: The FROM line uses the mutable tag rust:1.90-bookworm; replace it with
the corresponding immutable digest (e.g. rust@sha256:...) to pin the builder
image so the Rust toolchain no longer drifts — locate the FROM instruction
referencing "rust:1.90-bookworm" in Builder.Dockerfile and update it to the
image digest form fetched from the upstream registry.