Add `zizmor` for GitHub Actions workflow security audit

[aallan]

zizmor audits workflow files for injection vulnerabilities, overly permissive permissions, and other security issues specific to GitHub Actions.

pip install zizmor
zizmor .github/workflows/

Especially relevant because the CI handles secrets (CODECOV_TOKEN, GITHUB_TOKEN). Run locally first, fix any findings, then add to the lint CI job.

[aallan]

Partially fixed in PR #415 (branch docs/history-tooling-split). Two of the three zizmor finding categories are resolved:

Fixed — artipacked: Added persist-credentials: false to all six actions/checkout steps across all jobs. This prevents the GITHUB_TOKEN from being baked into .git/config for the lifetime of the runner.

Fixed — excessive-permissions: Replaced the implicit broad permissions with explicit per-job permissions: contents: read blocks on every job. The security job additionally has security-events: write (required by the Gitleaks action to upload SARIF results).

Deferred — unpinned-uses: All action refs are currently pinned to semver tags (e.g. actions/checkout@v6) rather than SHA hashes. Pinning to SHAs requires a Dependabot or Renovate workflow to keep them current — without automation it becomes an unmaintainable manual chore. Tracked separately in #390.

Deferred — secrets-outside-env: CODECOV_TOKEN is used in a with: block rather than env:. Low risk given fail_ci_if_error: false; left as-is.

[aallan]

Reopening so PR #415 closes this automatically on merge to main. The fix is implemented on branch docs/history-tooling-split — see above comments for details.

[aallan]

Implemented in PR #415 (branch docs/history-tooling-split, shipping as v0.0.103).

What was done (zizmor findings addressed):

• artipacked — Added persist-credentials: false to all actions/checkout steps so the GITHUB_TOKEN is not stored in .git/config for the lifetime of the runner
• excessive-permissions — Added per-job permissions: contents: read to all jobs; the security job additionally has security-events: write for GitHub advisory integration

Deferred (acknowledged in SECURITY.md):

• unpinned-uses — SHA pinning of all action refs tracked in Add hash-pinned dependency lockfile (pip-compile or uv lock) #390
• secrets-outside-env — CODECOV_TOKEN is passed as an action input rather than env var; not actionable because codecov/codecov-action requires it as an inputs: parameter. Documented as an acknowledged false positive in SECURITY.md.