ci: Harden CI + Add zizmor static analysis for GH Actions

[philipaconrad]

What changed, and why?

This commit fixes all findings from the Github Actions static analysis tool zizmor, and adds it to our pull request checks.

It also changes the release commit detection workflow to use the reduced-permissions pull_request workflow trigger, and now skips on non-releases. It succeeds/fails only when a release commit is detected.

Unfortunately, due to the pull_request_target already being set up on main, that version of the workflow is what will run on this PR, so we can't test the new reduced-permissions version until it's merged (breaking the "upstream only" behavior). 🙁

Definition of done

• Do the existing workflows still pass?
• Do release commits get detected / handled correctly in the detection workflow?
  • Skip: Normal PR, no release commit.
  • Fail: Release commit, version mismatches.
  • Pass: Release commit, versions all match.
• We'll test the release commit detection in a follow-up PR (with the above strategy)

How to test

• Allow normal CI to run for this PR.
• For testing release workflow:
  • Skip: tested by the base state of this PR.
  • Fail: Push release commit to the PR branch with version mismatch.
  • Pass: Push release commit to the PR branch with all versions matched.

Related Resources

• Prior art: ci: Harden and update all GH Actions workflows. opa#8356

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[srenatus]

Also updating the actions! Nice, thanks!