Adopt zizmor for secure GHAs

[bjlittle]

🚀 Pull Request

Description

Also see follow-up issue #7135

Closes #6809

---

Consult Iris pull request check list

---

Add any of the below labels to trigger actions on this PR:

• benchmark_this Request that this pull request be benchmarked to check if it introduces performance shifts

[scitools-ci]

Templating

This PR includes changes that may be worth sharing via templating. For each file listed below, please either:

• Action the suggestion via a pull request editing/adding the relevant file in the SciTools/.github templates/ directory. ¹
• Raise an issue against the SciTools/.github repo for the above action if you really don't have 10mins spare right now. Include an assignee, to avoid it being forgotten.
• Dismiss the suggestion if the changes are not suitable for templating.

You will need to dismiss this review before this PR can be merged. Recommend the reviewer does this as their final action before merging, as this text will continually update as commits come in.

Templated files

The following changed files are templated:

• .github/workflows/benchmarks_report.yml, templated by SciTools/.github/templates/github/workflows/ci-benchmarks-report.yml
• .github/workflows/benchmarks_run.yml, templated by SciTools/.github/templates/github/workflows/ci-benchmarks-run.yml
• .github/workflows/benchmarks_validate.yml, templated by SciTools/.github/templates/github/workflows/ci-benchmarks-validate.yml
• .github/workflows/ci-linkchecks.yml, templated by SciTools/.github/templates/github/workflows/ci-linkchecks.yml
• .pre-commit-config.yaml, templated by SciTools/.github/templates/.pre-commit-config.yaml
• benchmarks/bm_runner.py, templated by SciTools/.github/templates/benchmarks/bm_runner.py

Footnotes

1. Include this text in the PR body to avoid any notifications about applying the template changes back to the source repo!
   @scitools-templating: please no update notification on: iris ↩

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90.14%. Comparing base (6d9ef5e) to head (6bc4c75).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #7138   +/-   ##
=======================================
  Coverage   90.14%   90.14%           
=======================================
  Files          91       91           
  Lines       24967    24967           
  Branches     4684     4684           
=======================================
  Hits        22506    22506           
  Misses       1683     1683           
  Partials      778      778           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[trexfeathers]

#7138 (review)

SciTools/.github#266

[trexfeathers]

Confirmed that pre-commit.ci ran Zizmor

Being actioned in SciTools/.github#266