ci: add shear and zizmor checks, and move heavy GitHub Actions jobs to WarpBuild

[huitseeker]

1. The dependency check now uses cargo-shear, an upgrade from cargo-machete. cargo shear looks not only for unused dependencies (better than machete, as shown by this PR's removals), but also for those put in the wrong dependency section.
2. zizmor scans GitHub Actions files for risky patterns, like loose action pins or unsafe defaults.
3. The heavier CI jobs now run on beefier WarpBuild runners. CI test 17 -> 7 min.
4. The dependency policy check now also uses cargo-workspace-inheritance-check. It makes sure crates that are shared across the workspace use one workspace-level dependency entry instead of repeating versions in many crate manifests.

The PR also removes the unused dependencies that shear found, pins action versions more tightly, and fixes feature-flag issues.

[PhilippGackstatter]

Looks good to me!

[PhilippGackstatter]

This disables running doctest by default, right? If so, doesn't this increase the risk of not running them when not using a make command? Or what's the benefit of disabling these?

[huitseeker]

The lint is doctest_enabled_without_doctests: this removes a vacuous run, something which can and should be reversed when we add doc tests.

[partylikeits1983]

Looks great! One question though. The new workspace criterion pin is 0.5, but bin/bench-note-checker and bin/bench-transaction were both on 0.6 before this PR. Swapping their dev-dep to workspace = true quietly downgrades them. Could you confirm the downgrade is intentional? If it's not too difficult, would it make sense to bump the workspace pin to 0.6 and update miden-protocol's dev-dep alongside, to keep the bench crates where they were?

[huitseeker]

@partylikeits1983 Yup it's intentional: keeping the workspace at criterion 0.6 would require removing the pproof-rs integration in benchmarks (or allowing two versions of the same crate). Lmk if there is one solution we can get reasonable alignment on.