CI: add a zizmor workflow

[woodruffw]

Description

This adds a new workflow, zizmor.yml, which will run zizmor via zizmor-action on each push and pull request.

See #4901, #4905, #4906 for motivating context.

Note: this adds a new workflow for zizmor, but another option here would be to integrate zizmor via pre-commit. The upside to that is that running it locally would be constant with CI; the downside is that it's not easy (possible?) to directly integrate with GitHub's SARIF consumption support for stateful finding tracking. But if that's better for you all, I'm happy to retool this PR in that direction 🙂

Checklist - did you ...

• Implement any code style changes under the --preview style, following the
  stability policy?
• Add an entry in CHANGES.md if necessary?
• Add / update tests if necessary?
• Add new / update outdated documentation?

None of the above are applicable, I believe 🙂

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[JelleZijlstra]

Thank you!

[github-actions]

diff-shades reports zero changes comparing this PR (3821c8a) to main (bfdecb1).

---

What is this? | Workflow run | diff-shades documentation