Add zizmor for GitHub Actions security scanning

[shaanmajid]

Summary

• Add a dedicated zizmor workflow, a static analysis tool for finding security issues in GitHub Actions workflows
• Fix the easy stuff: narrowed read-all permissions to contents: read, added persist-credentials: false to all checkouts
• Exempted release.yml findings since it's autogenerated by cargo-dist
• SHA pinning (unpinned-uses) is disabled for now, see comment below

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[shaanmajid]

SHA pinning is the main remaining finding. This is what would've prevented the tj-actions/changed-files supply chain attack (CVE-2025-30066), where an attacker moved version tags to point at a malicious commit, leaking CI secrets from thousands of repos. Repos that had pinned to a commit SHA were unaffected.

Dependabot already handles bumping both the SHA and the version comment together, so maintenance shouldn't be a problem. Just wanted ot hold off since it'll touch every action reference across all the workflows, so the diff will be big but entirely mechanical. Happy to do it in a follow-up if there's support.

[deivid-rodriguez]

I'm good with pinning actions later, too, but let's see what others think!

[indirect]

Sounds good to me.