Fix security-related issues in github actions flagged by zizmor

[peytondmurray]

Issue number of the reported bug or feature request: Closes #287.

Describe your changes
This PR addresses a number of security-related issues in the github actions (and dependabot config) that were flagged by zizmor. Most of the changes are:

• Pinning action versions to commit hashes
• Disable persisting credentials in workflows after checkout
• The default permissions are now set as conservatively as possible

This PR also adds a zizmor action to ensure these issues don't arise in the future.

Testing performed
This will be tested by running the CI in this PR.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 79.19%. Comparing base (debc9e8) to head (2faa7b4).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #292   +/-   ##
=======================================
  Coverage   79.19%   79.19%           
=======================================
  Files          51       51           
  Lines        5542     5542           
  Branches      577      577           
=======================================
  Hits         4389     4389           
  Misses       1153     1153           

Flag	Coverage Δ
cpp	79.19% <ø> (ø)
python	79.19% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[lkollar]

Looks like this format isn't valid and the build fails.

We chatted about this with @godlygeek and it would be good to leverage Dependabot for keeping the Docker images up to date as well. It seems it's supported.