fix: don't interfere with repo package.json

[allejo]

💌 Description

This action will do an npm install @actions/tool-cache, by default in the current working directory. There is a configurable inputs.working-directory, but I haven't tested to see if using that will change the behavior I'm seeing.

Regardless of the configurable working directory, running npm install <package> in a JavaScript repository will modify package.json, its lockfile, and run lifecycle scripts. This can cause side effects because a GitHub action is unintentionally modifying the cloned code.

🔗 Related issue

Fixes: N/A

📚 Type of change

• 📝 Examples / docs / tutorials
• 🐛 Bug fix (non-breaking change which fixes an issue)
• 🥂 Improvement (non-breaking change which improves an existing feature)
• ✨ New feature (non-breaking change which adds functionality)
• 💥 Breaking change (fix or feature that would cause existing functionality to change)
• 🚨 Security fix
• ⬆️ Dependencies update

✔️ Checklist

• I've read the Code of Conduct document.
• I've read the Contributing guide.

[DariuszPorowski]

@allejo good catch, thanks!

Going to release this week new version.