[SECURITY] Fix zizmor issues + use pedantic persona

[John McCall (lowlydba)]

The pedantic persona is a stricter checker, and its what we want to use across the board for public repos that are held to this workflow's checks.

[Copilot]

Pull request overview

Updates the repository’s GitHub Actions security/PR workflows to tighten zizmor checks and reduce redundant workflow runs, aligning with stricter security scanning expectations for public repos.

Changes:

• Switch zizmor from the auditor persona to the stricter pedantic persona and disable Advanced Security SARIF upload in favor of PR annotations.
• Add workflow-level concurrency to PR checks to cancel superseded runs for the same PR.
• Rename the security checks workflow to reflect the pedantic posture.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/omf_sec_checks.yml	Moves zizmor to pedantic and changes reporting mode; updates workflow display name.
.github/workflows/omf_pr_checks.yml	Adds concurrency grouping/cancelation for PR-target runs.

Comments suppressed due to low confidence (1)

.github/workflows/omf_sec_checks.yml:14

• The workflow header comments still state that zizmor runs with the 'auditor' persona and uploads SARIF to Advanced Security, but the workflow name now indicates 'pedantic'. Please update the top-of-file documentation to match the new persona/behavior so the security posture is accurately described.

name: OMF Security Checks

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

With advanced-security: false, zizmor will not upload SARIF, but the job still requests security-events: write permissions. For least privilege, either drop security-events: write (and any related SARIF-upload wording) or re-enable Advanced Security upload if that's the intent.