Or simply, if it is a form <button> make it look like a button. Otherwise if it is an <a> make it look like a link.
Also related: if it is a GET request, don't mutate state or perform an action on the server (except perhaps logging). But that is basic security too.
There are exceptions, but know why you are doing the exception. For example a landing page will typically have button-like links for call to actions, because people expect that.
If it's an <a> don't just make it look like a link, make it act like a link instead of having the href just be "#" and overriding what it does with an onclick().
Also related: if it is a GET request, don't mutate state or perform an action on the server (except perhaps logging). But that is basic security too.
There are exceptions, but know why you are doing the exception. For example a landing page will typically have button-like links for call to actions, because people expect that.