ci: harden GitHub Actions workflows

[flavorjones]

Summary

• Pin all actions to SHA hashes with version comments via pinact
• Fix zizmor findings: excessive-permissions, artipacked, template-injection, dependabot-cooldown
• Move workflow-level permissions to per-job least-privilege grants with permissions: {} at workflow level
• Add zizmor + actionlint CI job
• Configure dependabot with weekly batching and cooldown on all ecosystems

Test plan

• CI passes on this branch
• Verify zizmor reports clean: zizmor .

[Copilot]

Pull request overview

This PR hardens the repository’s GitHub automation by tightening GitHub Actions security (pinning action refs, reducing default permissions, and adding workflow lint/audit jobs) and by adjusting Dependabot update behavior.

Tip

If you aren't ready for review, convert to a draft PR.
Click "Convert to draft" or run gh pr ready --undo.
Click "Ready for review" or run gh pr ready to reengage.

Changes:

• Pin GitHub Actions to commit SHAs and reduce default workflow permissions to permissions: {} with per-job grants.
• Update the image publish workflow to reduce injection risk by avoiding direct ${{ ... }} interpolation inside shell scripts.
• Add a CI job to run actionlint and zizmor, and expand Dependabot config (grouping + cooldown).

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/publish-image.yml	Pins actions, reduces default permissions, and hardens shell steps used in image publishing/signing.
.github/workflows/ci.yml	Pins actions, reduces default permissions, and adds an actions audit job (actionlint + zizmor).
.github/dependabot.yml	Adds grouping for GitHub Actions updates and introduces cooldown configuration.

Comments suppressed due to low confidence (1)

.github/workflows/publish-image.yml:57

• build runs on pull_request, but the GHCR login step runs unconditionally. Since the image isn’t pushed on PRs (push: false), this login is unnecessary and can fail on fork PRs due to restricted token permissions. Consider gating the login step (and any other registry-auth-dependent steps) with if: github.event_name != 'pull_request' so PR builds don’t attempt to authenticate to GHCR.

      - name: Log in to GHCR
        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The build job requests packages: write, but on pull_request runs it never pushes images (and can be configured to skip registry login). This is broader than necessary for PR builds, and undermines the least-privilege goal of the PR. To fully minimize privileges, consider splitting PR builds vs. publish builds into separate jobs/workflows so only the publish path gets packages: write.

Suggested change

	timeout-minutes: 45
	timeout-minutes: 45
	if: github.event_name != 'pull_request'

[flavorjones]

The build job needs packages: write because it pushes images on non-PR events (tag pushes). The workflow uses a single job definition for both paths. Splitting by event trigger would add complexity without meaningful security benefit since the token is scoped to this repo's packages.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

PR description says a 10-day Dependabot cooldown, but this bundler entry sets shorter values (e.g., default/major 7 days, minor 3, patch 2). Please align the configuration with the stated 10-day cooldown (or update the PR description if 7/3/2 is intended).