fix: audit MEDIUM fixes — merge fallback, service hardening, CI token

- moonarch-waybar: on merge failure, remove the stale output so waybar
  falls back to the system config (previously it kept running with stale
  merged data despite the error notification claiming otherwise).
- moonarch-doctor: hoist INSTALLED assignment above both OFFICIAL and AUR
  blocks so the script survives set -u when only aur.txt is present.
- zshrc parse_git_branch: gate on git rev-parse and replace three grep
  subshells with bash pattern matching, cutting prompt latency from
  ~5 subprocesses per render to 2 (status + symbolic-ref).
- moonarch-batsaver.service: validate the threshold is an integer 1-100
  before writing to sysfs, add NoNewPrivileges and protection directives
  instead of relying on kernel validation alone.
- ci/act-runner/Dockerfile: drop the broad "pacman -Sy *" sudoers entry
  (only -S --needed is required by makepkg), and pin run.sh to
  act_runner:0.3.1 so it cannot drift ahead of the pinned binary.
- .gitea/workflows/update-pkgver.yaml: push via credential.helper=store
  with a chmod 600 temp file instead of `git -c http.extraHeader=...`,
  so the token no longer shows up in /proc/PID/cmdline.

scripts/moonarch-doctor

@@ -109,8 +109,11 @@ section "Packages"
 OFFICIAL="/usr/share/moonarch/official.txt"
 AUR="/usr/share/moonarch/aur.txt"
 
+# Hoist INSTALLED so the AUR block below can use it even if OFFICIAL is absent —
+# otherwise `set -u` aborts the script when $INSTALLED is referenced unset.
+INSTALLED=$(pacman -Qq 2>/dev/null)
+
 if [[ -f "$OFFICIAL" ]]; then
-    INSTALLED=$(pacman -Qq 2>/dev/null)
     MISSING_OFFICIAL=()
     while IFS= read -r pkg; do
         [[ "$pkg" =~ ^[[:space:]]*# ]] && continue