As the surge npm package has outdated dependencies, projects that depend on it, even as a devDependency are marked falsely as insecure. This change allows surge to be installed in and only in the GitHub Action, such that surge is not a direct dependency anymore, and thus dependers are not marked as insecure.