ci: harden GitHub Actions workflows

[wochinge]

Summary

• Harden GitHub Actions workflows by pinning actions to commit SHAs with precise tag comments, adding explicit permissions, and disabling checkout credential persistence.
• Add a zizmor workflow to continuously scan workflow security findings.
• Add Dependabot configuration for weekly grouped GitHub Actions updates with the ci commit prefix and a 7-day cooldown.
• Remove Maven dependency caching from the publish workflow to avoid cache-poisoning risk during release artifact publishing.

Linear

• LFE-9755

Major Decisions

• Removed the publish workflow Maven cache instead of suppressing the finding because the workflow publishes release artifacts and the cache was non-essential for correctness.

Review Focus

• Confirm the reduced publish workflow still has all credentials and permissions needed for Maven Central publishing.
• Confirm the pinned action versions are the desired current versions.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 850b0bfdab

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Grant Actions scope to keep CI cache functional

This job still calls actions/cache, but after setting permissions: {} at workflow level and only contents: read at job level, the actions scope is implicitly none (GitHub workflow syntax: unspecified permissions become none). The cache API is under the Actions permission set, so cache restore/save calls will be unauthorized and the Maven cache will effectively stop working, increasing build times on every run.

Useful? React with 👍 / 👎.